sigmahighHunting

NET NGenAssemblyUsageLog Registry Key Tamper

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

MITRE ATT&CK

T1112

persistencedefense-evasion

Detection Query

selection:
  TargetObject|endswith: SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog
condition: selection

Author

frack113

Created

2022-11-18

Data Sources

windowsRegistry Set Events

Platforms

windows

References

https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/

Tags

attack.persistenceattack.defense-evasionattack.t1112

Raw Content

title: NET NGenAssemblyUsageLog Registry Key Tamper
id: 28036918-04d3-423d-91c0-55ecf99fb892
status: test
description: |
  Detects changes to the NGenAssemblyUsageLog registry key.
  .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section).
  By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.
references:
    - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
author: frack113
date: 2022-11-18
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog'
    condition: selection
falsepositives:
    - Unknown
level: high