LOGGING, THE PERFECT PARTNER FOR MALWARE
Learn Who did What, Where, When and How.
In the course of investigating malware and reviewing logs for the details of what happened on suspect system(s), we have gathered the information listed here to assist in understanding Windows Logging.
- Enable Logs
- Configure Logs
- Gather Logs
- Harvest Logs
If you want to improve your Malware Management, logging is a crucial if not vital part of your Information Security program.
Listed below are resources for you to use to improve logging in your environment.
- Windows Logging Cheat Sheets
- CMD Script to set Windows Auditing and Logging - July 2015
- CMD Script to set ONLY the Windows Firewall Auditing and Logging - July 2015
- Sample default PowerShell profile.ps1 that also sets Transcripts to record - July 2015
- PowerShell script to check File and Folder auditing settings - Jan 2016
- PowerShell script to check Registry Key auditing settings - Jan 2016
NXLog is a logging agent with FREE and commercial versions that can send your log data to a local logging server (Splunk, ELK Stack) or Cloud Logging solution like Splunk Cloud, Loggly, Sumologic and others.
Windows NXLOG.conf file with expanded auditing, sample exclusions by EventID and by Message type. Just replace your server and account details, tweak as needed and restart the service.
- Sample nxlog.conf file for Windows (Loggly integration example)
- Sample nxlog.conf file for Windows (GrayLog example - coming soon)
Sysmon is a service developed by Sysinternals, now owned by Microsoft that provides additional security and Incident Response related details about files and processes and the hidden workings of a Windows based system. The service has its own log that records the hashes of the files, Dll's and drivers (.sys) loaded, signatures of the certs, IP details, etc. The config file allows you to reduce the normal noise generated by Sysmon to make it collect less voluminous in case you want to harvest the data in a log management solution or.. LOG-MD Progfessional.
Windows Logging Service (WLS)
WLS is a syslog service that replaces your current logging agent such as the Splunk Universal Forwarder, nxlog or other logging agent. The advantage of WLS is in what it collects and sends to your log server in the form of syslog events from Windows and is fully configurable on what it can collect allowing log refinement and incredible details. WLS collects the hashes of files, signature details of the files, PowerShell and WMI details not found in Windows logging, process execution and network data. This is by far the best InfoSec IR logging agent available AND...WLS can be configured so that LOG-MD Professional can collect the log events from WLS.