How does the ModuleMonitor detection tool identify CLR injection, and why is it relevant for defenders?

`ModuleMonitor` uses the WMI event `Win32_ModuleLoadTrace` to monitor all module loads in real time. It flags a process as having CLR injection if the process loads CLR‑related DLLs (e.g., `mscoree.dll`, `mscoreei.dll`, `mscorlib.dll`—names starting with `msco*`) but is not itself a .NET application. This is relevant for defenders because it can detect Donut‑style injections that load .NET into non‑.NET processes. A simpler equivalent is `tasklist /m msco*`. For more on bypassing CLR detection, see Analysis of Bypassing AppLocker Using Assembly Load.