Suspicious DotNET CLR Usage Log Artifact (e0b06658-7d1d-4cd3-bf15-03467507ff7c)
Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Suspicious DotNET CLR Usage Log Artifact (e0b06658-7d1d-4cd3-bf15-03467507ff7c) | Sigma-Rules | System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) | Attack Pattern | 1 |