NET NGenAssemblyUsageLog Registry Key Tamper

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

Sigma rule (View on GitHub)

 1title: NET NGenAssemblyUsageLog Registry Key Tamper
 2id: 28036918-04d3-423d-91c0-55ecf99fb892
 3status: test
 4description: |
 5  Detects changes to the NGenAssemblyUsageLog registry key.
 6  .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
 7  By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.  
 8references:
 9    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
10author: frack113
11date: 2022/11/18
12modified: 2023/08/17
13tags:
14    - attack.defense_evasion
15    - attack.t1112
16logsource:
17    product: windows
18    category: registry_set
19detection:
20    selection:
21        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog'
22    condition: selection
23falsepositives:
24    - Unknown
25level: high

References

Related rules

to-top