What is Log-MD?
Log-MD is a security tool tailored for Windows systems. It audits log settings and advanced audit policy configurations, guiding users to enable and configure these settings for better security and detection. By gathering artifacts from malicious activity, Log-MD speeds up the investigation process, validating the integrity of systems, and facilitating quicker malware analysis.
Key Features
Audit Checks: Validates audit settings and ensures they are configured to capture necessary security events.
Malicious Discovery: Collects artifacts related to malware, such as process details, file changes, and registry modifications.
Enhanced Logging: Provides recommendations to improve Windows logging, capturing more detailed and useful data.
Compliance Reporting: Generates audit reports to ensure systems meet compliance standards like WLCS, CIS, USGCB, and AU ACSC.
Comparing Log-MD Versions
Log-MD comes in three versions: Free, Professional, and Consulting. Here’s a breakdown of their features:
Feature | Free | Professional | Consulting |
Audit Check | ✔ | ✔ | ✔ |
Bypass Audit Check | ✔ | ✔ | ✔ |
PowerShell version and audit log checks | ✔ | ✔ | ✔ |
WLCS & CIS Compliance | ✔ | ✔ | ✔ |
USGCB & AU ACSC Compliance | ✔ | ✔ | ✔ |
Create Audit Report | ✔ | ✔ | ✔ |
Specify Output Directory | ✔ | ✔ | |
Harvest Windows Log Events | ✔ | ✔ | ✔ |
Process Tree of Parent-Child Processes | ✔ | ✔ | |
Custom PowerShell report with configurable settings file to hunt for suspicious PowerShell commands | ✔ | ✔ | |
Harvest Sysmon Service Events | ✔ | ✔ | |
Whitelist Processes, Command Line, and IPs | ✔ | ✔ | ✔ |
Whitelist Files, Paths, & Reg Keys | ✔ | ✔ | ✔ |
Detailed Log Data Reports | 16 | 30 | 30 |
File Hash Baseline | ✔ | ✔ | ✔ |
File Hash Compare to Baseline | ✔ | ✔ | ✔ |
Whitelist by File, Location, or Hash | ✔ | ✔ | |
Master-Digest | ✔ | ✔ | |
Locked Files Report | ✔ | ✔ | ✔ |
Locked Files Compare to Baseline | ✔ | ✔ | |
Registry Baseline | ✔ | ✔ | ✔ |
Registry Compare to Baseline | ✔ | ✔ | ✔ |
Evaluate Imported Hives | ✔ | ✔ | ✔ |
Whitelist Keys & Values | ✔ | ✔ | |
Large Reg Keys Details | ✔ | ✔ | ✔ |
Load Hives from other systems | ✔ | ✔ | ✔ |
Large Reg Key Summary | ✔ | ✔ | |
WhoIs data for IPs in the IP Connections reports | ✔ | ✔ | |
Command line WhoIs lookups of IPv4 addresses | ✔ | ✔ | ✔ |
Harvest SRUM data - Netflow data by Application (Win 8.1 and 10 only) | ✔ | ✔ | |
List of AutoRuns Report | ✔ | ✔ | ✔ |
AutoRuns exclude results using Master Digest and Whitelist | ✔ | ✔ | |
AutoRuns of all WMI namespaces | ✔ | ✔ | ✔ |
List of Running Processes and Modules Report | ✔ | ✔ | ✔ |
Running Process and Modules exclude results using Master Digest and Whitelist | ✔ | ✔ | |
Query only WMI namespaces | ✔ | ✔ | |
VirusTotal lookups of hashes and/or files from reports | ✔ | ✔ | |
Automatic VirusTotal lookups when running Autoruns | ✔ | ✔ | |
Automatic VirusTotal lookups when checking Running Processes and their modules | ✔ | ✔ | |
10 VirusTotal reports can be generated from log reports and Sysmon | ✔ | ✔ | |
For Consultants | ✔ | ||
Transferrable 90-Day License | ✔ | ||
Special Artifact Hunting Features | ✔ | ✔ | |
Sticky Key Exploit Interesting Artifact Report | ✔ | ✔ | |
null byte in a registry value Interesting Artifact Report | ✔ | ✔ | |
Unicode character in filename Interesting Artifact Report | ✔ | ✔ | |
Manual pages | 23 | 70 | 70 |
LOG-MD-Pro Slack Channel Community | ✔ | ✔ |
Here is an example of the detailed output you can expect from Log-MD:
Conclusion
Log-MD is an invaluable tool for anyone tasked with Windows system security. Whether you're a small business or a large enterprise, Log-MD offers a cost-effective solution to enhance your malicious discovery and logging capabilities.
Akash Patel
Commenti