From cf60438c93dc89e8e01a5ab9e4e8bdf0aeb86e86 Mon Sep 17 00:00:00 2001
From: omkar72 <omkargudhate72@gmail.com>
Date: Mon, 12 Oct 2020 18:42:09 +0530
Subject: [PATCH] clr logs creation

---
 .../file_event/sysmon_susp_clr_logs.yml       | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/file_event/sysmon_susp_clr_logs.yml

diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml
new file mode 100644
index 000000000..64a46c51c
--- /dev/null
+++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml
@@ -0,0 +1,27 @@
+title: Susopcious CLR Logs Creation
+id: e4b63079-6198-405c-abd7-3fe8b0ce3263
+status: experimental
+description: Detects suspicious .NET assembly executions 
+references:
+  - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html
+tags:
+  - attack.execution
+  - attack.t1059.001
+author: omkar72, oscd.community
+date: 2020/10/12
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 11
+        TargetFilename|endswith:
+          - '\AppData\Local\Microsoft\CLR*\UsageLogs\mshta*'
+          - '\AppData\Local\Microsoft\CLR*\UsageLogs\cscript*'
+          - '\AppData\Local\Microsoft\CLR*\UsageLogs\wscript*'
+          - '\AppData\Local\Microsoft\CLR*\UsageLogs\regsvr32*'
+          - '\AppData\Local\Microsoft\CLR*\UsageLogs\wmic*'
+  condition: selection
+falsepositives:
+  - Unknown
+level: high
\ No newline at end of file