Merge pull request #885 from Qazeer/NETCLRUsageLogs-update

NETCLRUsageLogs-update
EricZimmerman · Nov 13, 2023 · 5492483 · 5492483
2 parents 1635a37 + 1c20ca5
commit 5492483
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 33 deletions.
diff --git a/Targets/Compound/CombinedLogs.tkape b/Targets/Compound/CombinedLogs.tkape
@@ -1,29 +1,34 @@
-Description: Collect Event logs, Trace logs, Windows Firewall and PowerShell console
-Author: Mike Cary, Mark Hallman added the USBDevicelogs target
-Version: 1.1
-Id: d4fdd600-15b1-4b78-bc77-88e724861d8d
-RecreateDirectories: true
-Targets:
-    -
-        Name: Windows Event Logs
-        Category: EventLogs
-        Path: EventLogs.tkape
-    -
-        Name: Event Trace Logs
-        Category: EventTraceLogs
-        Path: EventTraceLogs.tkape
-    -
-        Name: PowerShell Console Log
-        Category: PowerShellConsoleLog
-        Path: PowerShellConsole.tkape
-    -
-        Name: Windows Firewall Log
-        Category: WindowsFirewallLogs
-        Path: WindowsFirewall.tkape
-    -
-        Name: USBDevicesLogs
-        Category: USB
-        Path: USBDevicesLogs.tkape
-
-# Documentation
-# v1.1 - Added the USBDevicelogs target
+Description: Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs
+Author: Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs target
+Version: 1.2
+Id: d4fdd600-15b1-4b78-bc77-88e724861d8d
+RecreateDirectories: true
+Targets:
+    -
+        Name: Windows Event Logs
+        Category: EventLogs
+        Path: EventLogs.tkape
+    -
+        Name: Event Trace Logs
+        Category: EventTraceLogs
+        Path: EventTraceLogs.tkape
+    -
+        Name: PowerShell Console Log
+        Category: PowerShellConsoleLog
+        Path: PowerShellConsole.tkape
+    -
+        Name: Windows Firewall Log
+        Category: WindowsFirewallLogs
+        Path: WindowsFirewall.tkape
+    -
+        Name: USBDevicesLogs
+        Category: USB
+        Path: USBDevicesLogs.tkape
+    -
+        Name: .NET CLR UsageLogs
+        Category: .NET CLR UsageLogs
+        Path: NETCLRUsageLogs.tkape
+
+# Documentation
+# v1.1 - Added the USBDevicelogs target
+# v1.2 - Added the .NET CLR UsageLogs target
diff --git a/Targets/Windows/NETCLRUsageLogs.tkape b/Targets/Windows/NETCLRUsageLogs.tkape
@@ -1,14 +1,21 @@
 Description: .NET CLR UsageLogs
-Author: Matias Davaro
-Version: 1.0
+Author: Matias Davaro, Thomas DIOT (Qazeer)
+Version: 1.1
 Id: f127a2a3-d86f-4ede-96e7-52193db822ad
 RecreateDirectories: true
 Targets:
     -
-        Name: .NET CLR UsageLogs
+        Name: .NET CLR UsageLogs (user-scoped)
         Category: .NET CLR UsageLogs
-        Path: C:\Users\%user%\AppData\Local\Microsoft\CLR_*\UsageLogs
+        Path: C:\Users\%user%\AppData\Local\Microsoft\CLR_*\
         Recursive: true
+        FileMask: '*.log'
+    -
+        Name: .NET CLR UsageLogs (system-scoped)
+        Category: .NET CLR UsageLogs
+        Path: C:\Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*\
+        Recursive: true
+        FileMask: '*.log'
 
 # Documentation
 # https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/