NET NGenAssemblyUsageLog Registry Key Tamper
Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
Sigma rule (View on GitHub)
1title: NET NGenAssemblyUsageLog Registry Key Tamper
2id: 28036918-04d3-423d-91c0-55ecf99fb892
3status: test
4description: |
5 Detects changes to the NGenAssemblyUsageLog registry key.
6 .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
7 By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
8references:
9 - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
10author: frack113
11date: 2022-11-18
12modified: 2023-08-17
13tags:
14 - attack.persistence
15 - attack.defense-evasion
16 - attack.t1112
17logsource:
18 product: windows
19 category: registry_set
20detection:
21 selection:
22 TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Introduction In recent years, there have been numerous published techniques for evading endpoint security solutions and sources such as A/V, EDR and logging facilities. The methods deployed to achi…
Read More
Related rules
- Activate Suppression of Windows Security Center Notifications
- Add DisallowRun Execution to Registry
- Allow RDP Remote Assistance Feature
- Blackbyte Ransomware Registry
- Blue Mockingbird