Detectionhightest

NET NGenAssemblyUsageLog Registry Key Tamper

Detects changes to the NGenAssemblyUsageLog registry key. .NET Usage Log output location can be controlled by setting the NGenAssemblyUsageLog CLR configuration knob in the Registry or by configuring an environment variable (as described in the next section). By simplify specifying an arbitrary value (e.g. fake output location or junk data) for the expected value, a Usage Log file for the .NET execution context will not be created.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Fri Nov 18Updated Thu Aug 1728036918-04d3-423d-91c0-55ecf99fb892windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\NGenAssemblyUsageLog'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

bohops.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1112 · Modify Registry

Rule Metadata

Rule ID

28036918-04d3-423d-91c0-55ecf99fb892

Status

test

Level

high

Type

Detection

Created

Fri Nov 18

Modified

Thu Aug 17

Author

François Hubaut

Path

rules/windows/registry/registry_set/registry_set_net_cli_ngenassemblyusagelog.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1112

View on GitHub