The hypothesis is that an adversary is leveraging the .NET CLR to generate malicious usage log files to persist or exfiltrate data by mimicking legitimate process behavior. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and early-stage malware activity associated with T1218.
Detection Rule
title: Suspicious DotNET CLR Usage Log Artifact
id: e0b06658-7d1d-4cd3-bf15-03467507ff7c
related:
- id: 4508a70e-97ef-4300-b62b-ff27992990ea
type: derived
- id: e4b63079-6198-405c-abd7-3fe8b0ce3263
type: obsolete
status: test
description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
references:
- https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
- https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml
- https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008
- https://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
author: frack113, omkar72, oscd.community, Wojciech Lesicki
date: 2022-11-18
modified: 2023-02-23
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: file_event
product: windows
definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration'
detection:
selection:
TargetFilename|endswith:
- '\UsageLogs\cmstp.exe.log'
- '\UsageLogs\cscript.exe.log'
- '\UsageLogs\mshta.exe.log'
- '\UsageLogs\msxsl.exe.log'
- '\UsageLogs\regsvr32.exe.log'
- '\UsageLogs\rundll32.exe.log'
- '\UsageLogs\svchost.exe.log'
- '\UsageLogs\wscript.exe.log'
- '\UsageLogs\wmic.exe.log'
filter_main_rundll32:
# This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity
ParentImage|endswith: '\MsiExec.exe'
ParentCommandLine|contains: ' -Embedding'
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- 'Temp'
- 'zzzzInvokeManagedCustomActionOutOfProc'
condition: selection and not 1 of filter_main_*
falsepositives:
- Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675
level: high
imFileEvent
| where (TargetFileName endswith "\\UsageLogs\\cmstp.exe.log" or TargetFileName endswith "\\UsageLogs\\cscript.exe.log" or TargetFileName endswith "\\UsageLogs\\mshta.exe.log" or TargetFileName endswith "\\UsageLogs\\msxsl.exe.log" or TargetFileName endswith "\\UsageLogs\\regsvr32.exe.log" or TargetFileName endswith "\\UsageLogs\\rundll32.exe.log" or TargetFileName endswith "\\UsageLogs\\svchost.exe.log" or TargetFileName endswith "\\UsageLogs\\wscript.exe.log" or TargetFileName endswith "\\UsageLogs\\wmic.exe.log") and (not((ActingProcessName endswith "\\MsiExec.exe" and ActingProcessCommandLine contains " -Embedding" and TargetFilePath endswith "\\rundll32.exe" and (ActingProcessCommandLine contains "Temp" and ActingProcessCommandLine contains "zzzzInvokeManagedCustomActionOutOfProc"))))Scenario: .NET Framework Installation or Update
Description: During a .NET Framework installation or update, the CLR may generate a usage log file as part of the installation process.
Filter/Exclusion: Check for the presence of known installation tools like dotnet.exe, msiexec.exe, or setup.exe in the process tree. Exclude events where the process name matches these known installers.
Scenario: Scheduled Job or Task Running .NET Application
Description: A scheduled task or job that runs a .NET application may generate a usage log file as part of its normal operation.
Filter/Exclusion: Filter by the task name or scheduler service (e.g., schtasks.exe, Task Scheduler), and exclude events where the process is associated with a known legitimate scheduled job.
Scenario: Administrative Tool Using .NET (e.g., PowerShell or Custom Scripts)
Description: Administrative tools like PowerShell or custom .NET scripts may create usage log files during execution, especially if they interact with the .NET runtime.
Filter/Exclusion: Exclude events where the process is associated with powershell.exe or a known administrative tool, and verify the script or tool is part of standard system administration tasks.
Scenario: .NET Application for Log Collection or Monitoring
Description: Some enterprise applications use .NET for log collection or monitoring and may generate usage log files as part of their operation.
Filter/Exclusion: Filter by known monitoring or log collection tools (e.g., log4net, NLog, or Serilog), and exclude events where the process is associated with these tools.
Scenario: .NET-Based Service or Daemon Running in the Background
Description: A background .NET service or daemon may create usage log files as part of its normal operation, especially if it runs