@HackerHurricane and @Boettcherpwned are releasing the Log Malicious Detection tool "Log-MD" for Windows based systems at DerbyCon 2015!
This FREE tool will assist you in Enabling and Configuring your Windows logs based on the recommendations of the "Windows Logging Cheat Sheet" (WLCS).
When first run, Log-MD will fail until, or unless all the needed auditing items are enabled and configured. You can either pipe out the console or read the "Audit Settings Report" giving you a measure of how your system compares to the Center for Internet Security (CIS) Benchmarks, or the recommended configuration of the "Windows Logging Cheat Sheet". This is a great report to add to your security assessments!
Once the system is properly configured, either through Group Policy or the Local Security Policy and some other system tweaks, Log-MD will produce Report.csv collecting all the security goodness we Active Defenders, Malware Hunters and InfoSec people want and need! The report is a simple to consume and parse CSV format for additional scripting or filtering using Microsoft Excel.
It does not stop there! There are three white lists that allow you to filter out the good, to help you find the bad and the ugly! So as you find obviously good conditions, you can use the white lists to filter out the items the next time Log-MD is run. The three white lists are:
1. By Process Command Line and/or Process Name
2. By Source IP and/or Destination IP and/or Destination Port, yup, no source port.
3. File Auditing (4663) and Registry Auditing (4657) locations
There are multiple use cases for Log-MD, whether or not you have a Log Management solution, aka SIEM, this tool can help you refine what to collect and improve your policies.
1. Audit your system against best practices - Compliance Auditors, IT professionals, consultants, InfoSec and Incident Responders can all use this tool to know how their environment stacks up log and audit wise against the CIS Benchmarks or WLCS recommendations.
2. Use the output to set and refine your File and a Registry Auditing to start monitoring key directories (e.g. \appdata) and auto run locations in the registry (e.g. Run and RunOnce keys). Start using auditing and have a way to refine your settings!
3. Malware Labs - Use Log-MD in your malware labs to find the key artifacts or IOC's needed to find other infected systems and the cleanup details to remediate. Speeds up basic malware analysis significantly!
4. Investigate a suspect system - Do you want to know if a system is clean or infected? Log-MD can help you analyze the data after boot up to see if anything odd has launched or communicated on the system.
5. Incidence Response - We don't always have fancy Log Management solutions or Endpoint solutions, so Log-MD can be run on systems to help get them configured to collect the needed data and then provide Incident Responders much needed information to focus their attention. Great for companies that are budget limited and lack some of Enterprise Security tools IR firms use.
A major goal of Log-MD is to help move organizations forward and enable and configure much needed logging details, even if it is only collected locally with or without a Log Management solution. Or to use this technique when doing malware analysis and while investigating a suspect system.
Take a look and download the tool and try it out! Send us your comments and suggestions. For security, we have posted the file hash on HackerHurricane to validate the download ;-).
You can get Log-MD at: