-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add NETCLRUsageLogs to a compound target #846
Comments
@Qazeer sorry for the delay, been busy the last few days. I'm thinking |
Hi @AndrewRathbun! No problem for the delay of course. I would personally vote for including the .NET CLR UsageLogs under KapeTriage, as they can shed light on in memory .NET assembly execution, something that is otherwise hard to detect from disk artefacts. From my limited testing, there should be a small number of legitimate entries (for a small total size as well). I don't have access to more endpoint telemetry at the moment, but could do more testing (in a little while though). |
I think I'd need to see example artifacts to better understand the size, scope, etc. I'll try to generate some this week or see if these are on disk already for review. Kroll uses KapeTriage as our standard remote pull so I'm hesitant to add anything without looking at the data myself and confirming it won't be adding a large amount of unnecessary data to every remote pull. |
I was looking at some of these artifacts on my system and I wasn't seeing any evidence of execution artifacts on here. Are you seeing something different? Sure, I'm seeing like Fences.exe.log, but inside the .log file there doesn't appear to be anything forensically interesting. |
Sorry for the late reply. As far as I know, the content of the .log files are indeed meaningless from a forensic standpoint. However, the mere presence of a file can be an indicator of a (potentially in memory) So simply listing the files, and their timestamps, would be sufficient. But for a Kape collection, I would personally collect the files by default, as there should generally be a limited number of (text and small) files. |
CombinedLogs is a better fit, IMO. Did you want to do the PR? I can if you're not able. |
I can do the PR, no problem :) |
Hello!
The .NET CLR UsageLogs (target
NETCLRUsageLogs
) seem relevant enough to be added to either theEvidenceOfExecution
orCombinedLogs
compound target (or may be directly to theKapeTriage
target). I can do a PR to do so, but would prefer a validation on which compound target to update first.The text was updated successfully, but these errors were encountered: