Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add NETCLRUsageLogs to a compound target #846

Closed
Qazeer opened this issue Aug 3, 2023 · 7 comments · Fixed by #885
Closed

Add NETCLRUsageLogs to a compound target #846

Qazeer opened this issue Aug 3, 2023 · 7 comments · Fixed by #885
Assignees
Labels
enhancement New feature or request

Comments

@Qazeer
Copy link
Contributor

Qazeer commented Aug 3, 2023

Hello!

The .NET CLR UsageLogs (target NETCLRUsageLogs) seem relevant enough to be added to either the EvidenceOfExecution or CombinedLogs compound target (or may be directly to the KapeTriage target). I can do a PR to do so, but would prefer a validation on which compound target to update first.

@Qazeer Qazeer added the enhancement New feature or request label Aug 3, 2023
@AndrewRathbun
Copy link
Collaborator

@Qazeer sorry for the delay, been busy the last few days. I'm thinking CombinedLogs, if anything. What do you think? The other two options would fall under KapeTriage so I personally think it should be an add-on to KapeTriage rather than included in it, but happy to hear arguments to the contrary.

@AndrewRathbun AndrewRathbun self-assigned this Aug 6, 2023
@Qazeer
Copy link
Contributor Author

Qazeer commented Aug 7, 2023

Hi @AndrewRathbun!

No problem for the delay of course.

I would personally vote for including the .NET CLR UsageLogs under KapeTriage, as they can shed light on in memory .NET assembly execution, something that is otherwise hard to detect from disk artefacts.

From my limited testing, there should be a small number of legitimate entries (for a small total size as well). I don't have access to more endpoint telemetry at the moment, but could do more testing (in a little while though).

@AndrewRathbun
Copy link
Collaborator

I think I'd need to see example artifacts to better understand the size, scope, etc. I'll try to generate some this week or see if these are on disk already for review. Kroll uses KapeTriage as our standard remote pull so I'm hesitant to add anything without looking at the data myself and confirming it won't be adding a large amount of unnecessary data to every remote pull.

@AndrewRathbun
Copy link
Collaborator

I was looking at some of these artifacts on my system and I wasn't seeing any evidence of execution artifacts on here. Are you seeing something different? Sure, I'm seeing like Fences.exe.log, but inside the .log file there doesn't appear to be anything forensically interesting.

@Qazeer
Copy link
Contributor Author

Qazeer commented Nov 13, 2023

Sorry for the late reply.

As far as I know, the content of the .log files are indeed meaningless from a forensic standpoint. However, the mere presence of a file can be an indicator of a (potentially in memory) .NET assembly execution, as detailed by Bohops in the blog post Investigating .NET CLR usage log tampering techniques for edr evasion.

So simply listing the files, and their timestamps, would be sufficient. But for a Kape collection, I would personally collect the files by default, as there should generally be a limited number of (text and small) files. CombinedLogs can also be an option, up to you!

@AndrewRathbun
Copy link
Collaborator

CombinedLogs is a better fit, IMO. Did you want to do the PR? I can if you're not able.

@Qazeer
Copy link
Contributor Author

Qazeer commented Nov 13, 2023

I can do the PR, no problem :)

@AndrewRathbun AndrewRathbun linked a pull request Nov 13, 2023 that will close this issue
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants