From 339ce1a8fb2b320b5d92858ed384e5ca6c9f0478 Mon Sep 17 00:00:00 2001 From: Qazeer Date: Mon, 13 Nov 2023 19:38:43 +0100 Subject: [PATCH 1/2] Update NETCLRUsageLogs with system-scoped files --- Targets/Windows/NETCLRUsageLogs.tkape | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/Targets/Windows/NETCLRUsageLogs.tkape b/Targets/Windows/NETCLRUsageLogs.tkape index 80f6c04df..3fb480bfc 100644 --- a/Targets/Windows/NETCLRUsageLogs.tkape +++ b/Targets/Windows/NETCLRUsageLogs.tkape @@ -1,14 +1,21 @@ Description: .NET CLR UsageLogs -Author: Matias Davaro -Version: 1.0 +Author: Matias Davaro, Thomas DIOT (Qazeer) +Version: 1.1 Id: f127a2a3-d86f-4ede-96e7-52193db822ad RecreateDirectories: true Targets: - - Name: .NET CLR UsageLogs + Name: .NET CLR UsageLogs (user-scoped) Category: .NET CLR UsageLogs - Path: C:\Users\%user%\AppData\Local\Microsoft\CLR_*\UsageLogs + Path: C:\Users\%user%\AppData\Local\Microsoft\CLR_*\ Recursive: true + FileMask: '*.log' + - + Name: .NET CLR UsageLogs (system-scoped) + Category: .NET CLR UsageLogs + Path: C:\Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*\ + Recursive: true + FileMask: '*.log' # Documentation # https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ From 1c20ca5b0c811475dc2b4155b674720ff5fdea7b Mon Sep 17 00:00:00 2001 From: Qazeer Date: Mon, 13 Nov 2023 19:40:04 +0100 Subject: [PATCH 2/2] Add NETCLRUsageLogs to CombinedLogs --- Targets/Compound/CombinedLogs.tkape | 63 ++++++++++++++++------------- 1 file changed, 34 insertions(+), 29 deletions(-) diff --git a/Targets/Compound/CombinedLogs.tkape b/Targets/Compound/CombinedLogs.tkape index 99f938c94..ade49fa1b 100644 --- a/Targets/Compound/CombinedLogs.tkape +++ b/Targets/Compound/CombinedLogs.tkape @@ -1,29 +1,34 @@ -Description: Collect Event logs, Trace logs, Windows Firewall and PowerShell console -Author: Mike Cary, Mark Hallman added the USBDevicelogs target -Version: 1.1 -Id: d4fdd600-15b1-4b78-bc77-88e724861d8d -RecreateDirectories: true -Targets: - - - Name: Windows Event Logs - Category: EventLogs - Path: EventLogs.tkape - - - Name: Event Trace Logs - Category: EventTraceLogs - Path: EventTraceLogs.tkape - - - Name: PowerShell Console Log - Category: PowerShellConsoleLog - Path: PowerShellConsole.tkape - - - Name: Windows Firewall Log - Category: WindowsFirewallLogs - Path: WindowsFirewall.tkape - - - Name: USBDevicesLogs - Category: USB - Path: USBDevicesLogs.tkape - -# Documentation -# v1.1 - Added the USBDevicelogs target +Description: Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs +Author: Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs target +Version: 1.2 +Id: d4fdd600-15b1-4b78-bc77-88e724861d8d +RecreateDirectories: true +Targets: + - + Name: Windows Event Logs + Category: EventLogs + Path: EventLogs.tkape + - + Name: Event Trace Logs + Category: EventTraceLogs + Path: EventTraceLogs.tkape + - + Name: PowerShell Console Log + Category: PowerShellConsoleLog + Path: PowerShellConsole.tkape + - + Name: Windows Firewall Log + Category: WindowsFirewallLogs + Path: WindowsFirewall.tkape + - + Name: USBDevicesLogs + Category: USB + Path: USBDevicesLogs.tkape + - + Name: .NET CLR UsageLogs + Category: .NET CLR UsageLogs + Path: NETCLRUsageLogs.tkape + +# Documentation +# v1.1 - Added the USBDevicelogs target +# v1.2 - Added the .NET CLR UsageLogs target