Queries the Microsoft-Windows-DotNETRuntimeRundown provider to collect a list of DotNet modules loaded into a process. This can be useful when responding to reflectively loaded DotNet malware.
NOTE: System.Timestamp represents when the artifact was run, NOT when the module was loaded.
name: Windows.ETW.DotNetRundown
author: "@bmcder02"
description: |
Queries the Microsoft-Windows-DotNETRuntimeRundown provider to
collect a list of DotNet modules loaded into a process. This can be
useful when responding to reflectively loaded DotNet malware.
NOTE: System.Timestamp represents when the artifact was run, NOT
when the module was loaded.
type: CLIENT
parameters:
- name: ProcessRegex
default: .
type: regex
- name: PidRegex
default: .
type: regex
- name: EventIDRegex
default: .
type: regex
- name: Timeout
default: 20
type: int
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
LET EventData = SELECT System.ID AS EventID, System.ProcessID AS ProcessID,
process_tracker_get(id=System.ProcessID) AS ProcessDetails,
*
FROM watch_etw(
description="CLR Rundown Provider",
guid="{A669021C-C450-4609-A035-5AF59AF4DF18}",
any=0x48, timeout=Timeout)
SELECT EventID, ProcessID, ProcessDetails.Data.Name AS ProcessName,
ProcessDetails.Data.Exe AS ProcessPath, System, EventData, ProviderGUID,
ProcessDetails
FROM EventData
WHERE EventID =~ EventIDRegex
AND ProcessID =~ PidRegex
AND ProcessPath =~ ProcessRegex