Open ghost opened 1 year ago
added HKCU\SOFTWARE\Microsoft.NETFramework HKLM\SOFTWARE\Microsoft.NETFramework and that should cover NGenAssemblyUsageLog COMPlus_NGenAssemblyUsageLog
file create rules appears to not exclude the directory location but it is not special in config either. But should capture log file creation
REF: https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/
File Locations:
look for filenames with .log ext
Reg mod locations:
Reg key changes:
NGenAssemblyUsageLog COMPlus_NGenAssemblyUsageLog