Monthly Archives: September 2022

Windows Logging Service (WLS)

Leave a reply

Latest Version: 3.7.2265

Introduction

WLS is a Windows service that reads, formats, and sends Windows event logs as well as additional information as configured to a log receiver. Analysis of this data can help identify anomalous or malicious activity, as well as provide context for user behavior.

Overview

WLS includes the following capabilities:

  • Augment process creation events with user defined metadata including hashes and PE information
  • Remote configuration to allow for secure changes to the WLS configuration
  • Route logs to one or more servers based on the current host network configuration
  • Hourly performance logging
  • Log current certificate information and changes
  • Log commands entered by a user into cmd.exe, powershell.exe, and more
  • Log devices connected / disconnected
  • Log drives mounted / unmounted
  • Log file data about file paths in logs with user defined metadata
  • Log changed files in defined directories
  • Log local users and groups
  • Log all or specific Windows event logs, with powerful filtering to reduce noise
  • Log file changes (tail)
  • Log loaded modules (dlls)
  • Log named pipe creation / deletion
  • Log performance counters
  • Log open / listening ports
  • Log local print activity
  • Log registry changes
  • Log service activity / status
  • Log session activity
  • Log task scheduler tasks
  • Log Windows Boot Configuration Log (WBCL)
  • Log Windows objects (mutant / semaphore)
  • Log WMI information

Screenshots

Splunk dashboards shown are provided as-is with a WLS license.

Overall performance
Host performance
Dashboards for WLS monitoring
Dashboards to analyze all WLS reported data
Local user analysis
Session activity, including authentication method
Setup for index, logtypes, HMAC key, and alert email addresses

Requirements

WLS requires .NET 4.0+ client or full and is compatible with Windows XP/Server 2003 – Windows 11/Server 2022. Requires < 5MB for initial installation, and up to the user-defined on-disk quota for the caching DB when the log server is unavailable.

WLS includes the required SQLite libraries and a Software Bill of Materials (SBOM) to validate the provided installation files and dependencies and the executable is signed and timestamped.

Usage

Install with colocated configuration file: msiexec.exe /i setup.msi /qn

Install with HTTPS remote configuration file: msiexec.exe /i setup.msi /RemoteURL="https://server.domain/WLS

Install with UNC remote configuration file: msiexec.exe /i /setup.msi /RemoteURL="\\server.domain\WLS"

Uninstall: msiexec.exe /x setup.msi /qn

Run in debug mode (from elevated command prompt): wls.exe /i /e /debugmode

Configuration

All settings can be user-defined to meet expectations for the environment. The manual included with a license contains all definitions, options, and examples for each setting.

WLS configuration is defined by an XML file that is generated by the provided configuration utility and/or edited manually. Only non-default settings need to be specified. The XML file can then be signed by a system generated signature to guarantee integrity of the XML file, or by an existing certificate to guarantee integrity and verify the signature is trusted.

Remote configuration is done by specifying a path to a rules file that contains host conditions to map systems to the appropriate configuration(s). A remote configuration rule editor is provided.

Example Configurations

All default settings, only watch the Application, Security, and System logs

<WLS>
  <Config>
    <Logging>
      <AutoWatchNewLogSources>0</AutoWatchNewLogSources>
      <Logs>
        <Application>1</Application>
        <Security>1</Security>
        <System>1</System>
      </Logs>
    </Logging>
  </Config>
</WLS>

Additional data sources enabled

...
<CertificateMonitor>
  <Enabled>1</Enabled>
</CertificateMonitor>
<SessionMonitor>
  <Enabled>1</Enabled>
</SessionMonitor>
...

Example signed XML. Configuration utility signs and verifies files/folders

...
</Config>
  
  
<RSAKeyValue><Modulus>otCgojt4iZbb+y+FdXBn...u6gAkw==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>yw+...fE=</DigestValue></Reference></SignedInfo><SignatureValue>ESC...OEcyw==</SignatureValue></Signature></WLS>

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Advertisement

WLS 3.7.22 Released!

Leave a reply

WLS 3.7.22 is here! The latest version of SIEM, format, and protocol agnostic Windows event log forwarding with process creation metadata and user defined contextual information, now with LNK parsing, file system minifilter reporting, WBCL reporting, and sysmon configuration management!

CommandMonitor

  • Added support for Windows 11 command history when cmd.exe is launched inside Windows Terminal

FileData

  • Added LNK parsing and reporting
    • Processes launched from a shortcut, when the LNK field is requested, will have LNK details logged along with user-defined metadata

2022-09-26T12:07:18-05:00 host WLS_FileData: LogType=”WLS”, AccessTime=”2/23/2022 3:51:57 PM”, BaseFileName=”Configuration Manager Console.lnk”, CreationTime=”7/27/2021 2:33:52 AM”, CreationTime1=”2/23/2022 9:51:59 AM”, FileAttributes=”ARCHIVE”, FileDataName=”LNK”, FileName=”C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Endpoint Manager\Configuration Manager\Configuration Manager Console.lnk”, HotKey=””, IconIndex=”0″, KnownFolder=”7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e”, LastAccessTime=”9/26/2022 12:06:41 PM”, LastWriteTime=”2/23/2022 9:51:59 AM”, Length=”1409″, LinkFlags=”HasLinkTargetIDList, HasLinkInfo, HasRelativePath, IsUnicode”, LinkInfoFlags=”VolumeIDAndLocalBasePath”, LocalBasePath=”C:\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe”, MacAddress=”F80DAC6E57E8″, MachineID=”host”, MD5=”D82ABC2B24AA63332BE73F80656AD31D”, PropertyStoreCount=”2″, RelativePath=”..\..\..\..\..\..\..\Program Files (x86)\Microsoft Endpoint Manager\AdminConsole\bin\Microsoft.ConfigurationManagement.exe”, SHA1=”08F381B34236F9F12F62FEE6FF88B96D5B6DAEE0″, ShowCommand=”1″, SID=”S-1-5-18″, Size=”434544″, SpecialFolder=”ProgramFilesX86″, User=”NT AUTHORITY\SYSTEM”, VolumeLabel=”Windows”, WLSKey=”11169″, WriteTime=”7/27/2021 2:33:52 AM”

Filters

  • Added filter groups to ease management of related filters

LogFormats

  • Added MACHINEGUID field
    • For use as a unique identifier such as a Splunk HEC channel
  • Added “unix” date format
    • Useful for JSON logs with Splunk HEC

Logging

  • Added file system minifilter logging
    • Enhanced output similar to fltmc.exe with file metadata
    • Example from “Windows Sandbox”WindowsSandboxFileSystemFilters
  • Added LogUserChange parameter
    • Log when the user changes from parent to child process

LogRouting

  • Added support for HTTP servers, including custom headers
  • Added parameters to verify connections meet requirements
    • Useful when using HTTPS destinations and captive portals or other MITM scenarios are encountered

RemoteConfiguration

  • Added parameters to support more destinations and formats
    • Useful when loading remote configuration from version control systems such as gitlab and other non-standard HTTP(s) sources
  • Added sysmon configuration loading
    • The last sysmon configuration found when processing applicable rules will be applied

Windows Boot Configuration Log (WBCL) – New!

  • Initial and periodic reporting of the WBCL

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.