diff --git a/Targets/Compound/CombinedLogs.tkape b/Targets/Compound/CombinedLogs.tkape index 99f938c94..ade49fa1b 100644 --- a/Targets/Compound/CombinedLogs.tkape +++ b/Targets/Compound/CombinedLogs.tkape @@ -1,29 +1,34 @@ -Description: Collect Event logs, Trace logs, Windows Firewall and PowerShell console -Author: Mike Cary, Mark Hallman added the USBDevicelogs target -Version: 1.1 -Id: d4fdd600-15b1-4b78-bc77-88e724861d8d -RecreateDirectories: true -Targets: - - - Name: Windows Event Logs - Category: EventLogs - Path: EventLogs.tkape - - - Name: Event Trace Logs - Category: EventTraceLogs - Path: EventTraceLogs.tkape - - - Name: PowerShell Console Log - Category: PowerShellConsoleLog - Path: PowerShellConsole.tkape - - - Name: Windows Firewall Log - Category: WindowsFirewallLogs - Path: WindowsFirewall.tkape - - - Name: USBDevicesLogs - Category: USB - Path: USBDevicesLogs.tkape - -# Documentation -# v1.1 - Added the USBDevicelogs target +Description: Collect Event logs, Trace logs, Windows Firewall, PowerShell console logs, and .NET CLR UsageLogs +Author: Mike Cary, Mark Hallman added the USBDevicelogs target, Thomas DIOT (Qazeer) added the .NET CLR UsageLogs target +Version: 1.2 +Id: d4fdd600-15b1-4b78-bc77-88e724861d8d +RecreateDirectories: true +Targets: + - + Name: Windows Event Logs + Category: EventLogs + Path: EventLogs.tkape + - + Name: Event Trace Logs + Category: EventTraceLogs + Path: EventTraceLogs.tkape + - + Name: PowerShell Console Log + Category: PowerShellConsoleLog + Path: PowerShellConsole.tkape + - + Name: Windows Firewall Log + Category: WindowsFirewallLogs + Path: WindowsFirewall.tkape + - + Name: USBDevicesLogs + Category: USB + Path: USBDevicesLogs.tkape + - + Name: .NET CLR UsageLogs + Category: .NET CLR UsageLogs + Path: NETCLRUsageLogs.tkape + +# Documentation +# v1.1 - Added the USBDevicelogs target +# v1.2 - Added the .NET CLR UsageLogs target diff --git a/Targets/Windows/NETCLRUsageLogs.tkape b/Targets/Windows/NETCLRUsageLogs.tkape index 80f6c04df..3fb480bfc 100644 --- a/Targets/Windows/NETCLRUsageLogs.tkape +++ b/Targets/Windows/NETCLRUsageLogs.tkape @@ -1,14 +1,21 @@ Description: .NET CLR UsageLogs -Author: Matias Davaro -Version: 1.0 +Author: Matias Davaro, Thomas DIOT (Qazeer) +Version: 1.1 Id: f127a2a3-d86f-4ede-96e7-52193db822ad RecreateDirectories: true Targets: - - Name: .NET CLR UsageLogs + Name: .NET CLR UsageLogs (user-scoped) Category: .NET CLR UsageLogs - Path: C:\Users\%user%\AppData\Local\Microsoft\CLR_*\UsageLogs + Path: C:\Users\%user%\AppData\Local\Microsoft\CLR_*\ Recursive: true + FileMask: '*.log' + - + Name: .NET CLR UsageLogs (system-scoped) + Category: .NET CLR UsageLogs + Path: C:\Windows*\System32\config\systemprofile\AppData\Local\Microsoft\CLR_*\ + Recursive: true + FileMask: '*.log' # Documentation # https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/