Detection rules › Sigma
Suspicious DotNET CLR Usage Log Artifact
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218 System Binary Proxy Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
or:
TargetFilename|endswith: '\UsageLogs\cmstp.exe.log'
TargetFilename|endswith: '\UsageLogs\cscript.exe.log'
TargetFilename|endswith: '\UsageLogs\mshta.exe.log'
TargetFilename|endswith: '\UsageLogs\msxsl.exe.log'
TargetFilename|endswith: '\UsageLogs\regsvr32.exe.log'
TargetFilename|endswith: '\UsageLogs\rundll32.exe.log'
TargetFilename|endswith: '\UsageLogs\svchost.exe.log'
TargetFilename|endswith: '\UsageLogs\wmic.exe.log'
TargetFilename|endswith: '\UsageLogs\wscript.exe.log'
Stage 2: not 1 of filter_main_rundll32
CommandLine|contains: Temp
CommandLine|contains: 'zzzzInvokeManagedCustomActionOutOfProc'
Image|endswith: '\rundll32.exe'
ParentCommandLine|contains: ' -Embedding'
ParentImage|endswith: '\MsiExec.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
ParentCommandLine | match |
|
ParentImage | ends_with |
|
TargetFilename | ends_with |
|