Suspicious DotNET CLR Usage Log Artifact

 1title: Suspicious DotNET CLR Usage Log Artifact
 2id: e0b06658-7d1d-4cd3-bf15-03467507ff7c
 3related:
 4    - id: 4508a70e-97ef-4300-b62b-ff27992990ea
 5      type: derived
 6    - id: e4b63079-6198-405c-abd7-3fe8b0ce3263
 7      type: obsolete
 8status: test
 9description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
10references:
11    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
12    - https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml
13    - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
14    - https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
15author: frack113, omkar72, oscd.community, Wojciech Lesicki
16date: 2022-11-18
17modified: 2023-02-23
18tags:
19    - attack.defense-evasion
20    - attack.t1218
21logsource:
22    category: file_event
23    product: windows
24    definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration'
25detection:
26    selection:
27        TargetFilename|endswith:
28            - '\UsageLogs\cmstp.exe.log'
29            - '\UsageLogs\cscript.exe.log'
30            - '\UsageLogs\mshta.exe.log'
31            - '\UsageLogs\msxsl.exe.log'
32            - '\UsageLogs\regsvr32.exe.log'
33            - '\UsageLogs\rundll32.exe.log'
34            - '\UsageLogs\svchost.exe.log'
35            - '\UsageLogs\wscript.exe.log'
36            - '\UsageLogs\wmic.exe.log'
37    filter_main_rundll32:
38        # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity
39        ParentImage|endswith: '\MsiExec.exe'
40        ParentCommandLine|contains: ' -Embedding'
41        Image|endswith: '\rundll32.exe'
42        CommandLine|contains|all:
43            - 'Temp'
44            - 'zzzzInvokeManagedCustomActionOutOfProc'
45    condition: selection and not 1 of filter_main_*
46falsepositives:
47    - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
48level: high

References

• Investigating .NET CLR Usage Log Tampering Techniques For EDR Evasion

  

  Introduction In recent years, there have been numerous published techniques for evading endpoint security solutions and sources such as A/V, EDR and logging facilities. The methods deployed to achi…

  
  Read More

• sysmon-modular/11_file_create/include_dotnet.xml at fa1ae53132403d262be2bbd7f17ceea7e15e8c78 · olafhartong/sysmon-modular

  

  A repository of sysmon configuration modules. Contribute to olafhartong/sysmon-modular development by creating an account on GitHub.

  
  Read More

• Table Top With Teeth - Training Exercise

  

  Table Top With Teeth - Training Exercise . GitHub Gist: instantly share code, notes, and snippets.

  
  Read More

• Interesting DFIR traces of .NET CLR Usage Logs

  

  As most of you already know .NET has become an increasingly important component in the offensive world, with attackers making increasing di...

  
  Read More

Related rules

• Abusing Print Executable
• AddinUtil.EXE Execution From Uncommon Directory
• AgentExecutor PowerShell Execution
• Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
• Arbitrary File Download Via MSOHTMED.EXE