LOGGING, THE PERFECT PARTNER FOR MALWARE

Learn Who did What, Where, When and How.
In the course of investigating malware and reviewing logs for the details of what happened on suspect system(s), we have gathered the information listed here to assist in understanding Windows Logging.

  • Enable Logs
  • Configure Logs
  • Gather Logs
  • Harvest Logs

If you want to improve your Malware Management, logging is a crucial if not vital part of your Information Security program.

Listed below are resources for you to use to improve logging in your environment.

NXLOG

NXLog is a logging agent with FREE and commercial versions that can send your log data to a local logging server (Splunk, ELK Stack) or Cloud Logging solution like Splunk Cloud, Loggly, Sumologic and others.

Windows NXLOG.conf file with expanded auditing, sample exclusions by EventID and by Message type.  Just replace your server and account details, tweak as needed and restart the service.

SYSMON

Sysmon is a service developed by Sysinternals, now owned by Microsoft that provides additional security and Incident Response related details about files and processes and the hidden workings of a Windows based system.  The service has its own log that records the hashes of the files, Dll's and drivers (.sys) loaded, signatures of the certs, IP details, etc.  The config file allows you to reduce the normal noise generated by Sysmon to make it collect less voluminous in case you want to harvest the data in a log management solution or.. LOG-MD Progfessional

Windows Logging Service (WLS)

WLS is a syslog service that replaces your current logging agent such as the Splunk Universal Forwarder, nxlog or other logging agent. The advantage of WLS is in what it collects and sends to your log server in the form of syslog events from Windows and is fully configurable on what it can collect allowing log refinement and incredible details.  WLS collects the hashes of files, signature details of the files, PowerShell and WMI details not found in Windows logging, process execution and network data.  This is by far the best InfoSec IR logging agent available AND...WLS can be configured so that LOG-MD Professional can collect the log events from WLS.