What Changed
Added a new hunting query targeting in-memory .NET execution that remains effective even when adversaries patch Event Tracing for Windows (ETW) to evade detection.
Detection Logic
- Primary data source: DeviceImageLoadEvents (kernel-driven telemetry via PsSetLoadImageNotifyRoutine)
- Core logic: detects when native Windows binaries or processes in user-writable directories unexpectedly load .NET runtime DLLs (clr.dll, mscoree.dll, mscorwks.dll, coreclr.dll)
- Entity types: Host, Account, Process
- Behavioral filters include LOLBin hijacking detection and suspicious staging path analysis
Security Impact (Visibility & Fidelity)
This query addresses a critical detection gap where advanced malware can bypass traditional memory execution alerts. Adversaries commonly patch user-mode ETW functions (like ntdll.dll!EtwEventWrite) to prevent EDRs from observing ClrUnbackedModuleLoaded events. This query shifts detection to kernel-level prerequisite behavior that user-mode malware cannot intercept or patch.
Key behavioral indicators:
- Native C/C++ Windows tools (rundll32.exe, mshta.exe, wscript.exe) suddenly loading .NET engine
- Executables from high-risk user-writable directories (AppData, Temp, ProgramData) loading .NET runtime
- Provides resilient fallback when ETW telemetry is compromised
MITRE Mapping
- Defense Evasion (T1562.001): Disable or Modify Tools - targeting ETW patching techniques
- Execution (T1055): Process Injection - detecting fileless .NET injection methods
Affected Files
Hunting Queries/Microsoft 365 Defender/Defense evasion/AnomalousNETRuntimeFilelessInjection.yaml