LOG-MD was designed for Windows based systems to audit log and advanced audit policy settings and guide users to enable and configure the audit settings to help push and encourage moving security and detection forward. LOG-MD was also designed to gather the artifacts from malicious activity, referred to as “Malicious Discovery”, faster than the standard methods many professionals use today.
LOG-MD replaces or augments several security and forensic tools, combing many features professionals rely on, into one easy to use utility. LOG-MD was designed to speed up the investigation of a suspect system, validate it is good and to speed up evaluating malware in a lab environment.
Malicious Discovery is a challenge for many and the Mean Time to Detection (MTTD) from a compromise or worse yet, a breach is still close to a year for most companies. LOG-MD is designed to be a cost effective utility to help small, medium, large and enterprise businesses improve their Malicious Discovery with a tool that can be run manually or distributed across the environment.
A NEW TOOL TO HELP YOU WITH THE FIGHT AGAINST INFECTIONS… MALWARE INFECTIONS.
The Log Malicious Discovery tool (Log-MD) is designed to assist Information Security and IT Professionals discover the artifacts needed to understand if a Windows system has a malware infection.
USE CASES:
There are multiple use cases for Log-MD, here are some to consider:
- Malware Analysis Lab – Use Log-MD to properly configure a malware analysis lab to collect needed logging data. After clearing the logs and then infecting the system, Log-MD can be run to collect artifacts from the malware. This will speed up Basic Malware Analysis. Artifacts collected include:
- The process used to connect to a destination IP address.
- Directory locations used by the malware
- Files executed or used by the malware
- Registry locations modified (requires auditing be set on keys you wish to monitor)
- New files added to a directory (requires auditing be set on directories you wish to monitor)
- Processes executed
- Command line parameters used
- Changes to system configuration such as Firewall configuration, scheduled tasks and new services
2. Investigate a suspect system – Log-MD can collect data once the systems auditing is properly configured to help determine if a system has been infected or is clean
3. Incident Response – Log-MD can be deployed to gather needed information on behavior of a system as a part of the response to a Security Incident
4. For IT, Auditors and Compliance professions, Log-MD can be used to provide a Compliance Audit report. Log-MD will report on the configuration of the system audit settings, or enterprise audit settings if GPO was used to apply settings. This report can be fed into a detailed report to management comparing what is set to well known system configuration standards for auditing.
5. Log-MD can help administrators and InfoSec professionals adjust their File, Directory and Registry Auditing settings by reviewing the output for 4663 and 4657 events and refining or removing noisy items that throw too many unwanted auditing events and are not security related.
