A new tool to help you with the fight against infections... Malware infections.
LOG-MD Professional has more features to further help with discovering malicious behavior. Basic features to help all users harvest valuable log events, baseline files and the registry, and compare them on suspect systems or your malware lab. LOG-MD Professional includes the following features:
Audit the system log settings, you can't collect what is not set with a PASS/FAIL score and what failed
Bypass minimum audit log compliance requirements in order to harvest logs that are enabled and collecting, even if system is non-compliant to the Windows Logging Cheat Sheet
PowerShell version and audit log settings information
Create a report of audit settings
Guide you to enable and configure needed audit log settings required by LOG-MD
Harvest security related log events
a. Pro creates 25 detailed log reports to discover malicious activity
b. Resolve IP addresses with whois information from the Windows Firewall and Sysmon logs to know the owner, network, country of origin and network range
7. Command line summary and detailed WhoIs lookups if IPv4 addresses
File system hash baseline of all system files
8. Compare the system files against a baseline and create a report of differences
a. Compare good file system hashes against a suspect system eliminating known good files
9. Baseline the registry
10. Compare the registry against a baseline and create a report of differences
a. Compare a good system registry snapshot against a suspect system eliminating known good keys and values
11. Summary and detailed reports of large registry keys hiding malicious scripts and payloads (used by so called "Fileless" malware)
12. Whitelists to filter out known good large registry keys and files or hashes
13. Additional reports detailing specific changes to the system
a. Supports third party add-ons such as Sysmon
14. Interesting Artifacts report to point out known exploitation artifacts
a. Keys containing a null byte to hide malicious artifacts
b. Sticky keys exploit
c. files with unicode characters
c. More interesting artifacts that indicates a system is already compromised
15. Autoruns - Produce a report of well known Autorun persistence locations and uses the Master-Digest to reduce known good hashes of binaries, and a specialized whitelist to exclude autoruns with parameters that the Master-Digest cannot, making it really fast to find malicious activity locations when the system starts up.
16. Running Processes and their modules - Produce a report of all visible running processes and their modules and uses the Master-Digest to reduce known good hashes of binaries, and a specialized whitelist to exclude known processes or modules that are noisey, making it really fast to find malicious process and modules.
17. SRUM netflow by application report (Win 8.1 and Win 10 64 bit only) that lists how many bytes sent and received from a given application. helps to answer "How much data was lost" and "When was the system first compromised".
18. VirusTotal lookups of hashes and/or files from 5 reports to create up to 10 VT reports
19. LOG-MD-Pro Slack Channel Community - Join other LOG-MD-Pro users, ask questions, provide, or get tips, share ideas and collaborate! The idea is to share what works for you and pass it on.
20. 69 page user manual describing all the details about LOG-MD-Professional, and two other manuals “Automating LOG-MD-Pro with Scheduled Tasks“ and “Getting Started with LOG-MD-Pro and send to a log solution“ to help you fully utilize LOG-MD-Professional.
21. Includes ARTHIR ‘ATT&CK Remote Threat Hunting Incident Response‘ PowerShell scripting toolkit with all LOG-MD-Pro modules.
To get started and for help with LOG-MD Free Edition type;
Audit your system against the following industry standards:
The "Windows Logging Cheat Sheet" (WLCS)
The Center for Internet Security (CIS) Windows Benchmarks
The US GCB
The Australian Cyber Standards
LOG-MD Professional creates 22 specialized log reports to help speed up analysis and make malicious behavior more obvious.
Special Malicious Discovery features:
LOG-MD provides addition Malicious Discovery features to help discover malicious artififacts such as:
Sticky Keys exploit existing on the system
Null byte used in the registry used to hide malicious artifacts
WhoIs look ups of discovered IP's
New features introduced quarterly!
LOG-MD Professional is licensed by the user. IMF Security does not restrict the amount of systems LOG-MD Professional may be used on within the company. Users actually managing, executing and working with LOG-MD will need to purchase a licenses for each user. Read the LOG-MD End User License Agreement for the details of the agreement.
Consultants are prohibited from using LOG-MD Professional and must purchase LOG-MD Professional for Consultants.
Here is the latest version updates.
Added VirusTotal lookups of hashes and/or files
Added CMD line summary and detailed WhoIs lookups of IPv4 addresses
Added PowerShell version and audit log setting status
Fixed bug that stopped log collection if variable in message could not be resolved