Detecting .NET/C# injection (Execute-Assembly)

| tstats summariesonly=t dc(sourcetype) as dc_s values(md5) as md5 values(process) as process values(parent_process) as parent_process values(parent_process_id) as parent_process_id values(process_path) as process_path values(parent_process_path) as parent_process_path values(file_name) as file_name values(sourcetype) as sourcetype latest(_time) as ltime dc(file_name) as dc_fn
where index=main
(sourcetype=processes parent_process=* (parent_process!=services.exe process!=*-k* process_name=svchost.exe) NOT (parent_process=userinit.exe AND process_name=explorer.exe))
OR (sourcetype=imageload file_name IN (clr.dll, clrjit.dll, msco*.dll) process_path!=”*.net\\*”)
by process_name,process_id,index,host,user

| stats values(*) as * by process_name,parent_process,parent_process_path,process_id,parent_process_id,index,dest,user
| rex field=parent_process_path “(?P<filename>[^\\\]+)$”
| where dc_s = 2 AND dc_fn >= 5 AND like(filename,parent_process)

| eventstats count as total
| eventstats dc(process_id) as dc_childprocid-to-parentprocid by parent_process_id,host
| eventstats dc(host) as uniqueDest_by_process_name by process_name
| eventstats dc(host) as uniqueDest_by_parent_process by parent_process
| eval unique_process = (uniqueDest_by_process_name / total) * 100
| eval unique_parent_process = (uniqueDest_by_parent_process / total) * 100

Example #1 — svchost spawned by explorer or vssapi
Example #1 — additional stats

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store