Custom EVTX Logs
SUMMARY
This lays out how to create a subscription (both source and collector initiated) that collects selected forwarded .evtx
event logs from a workstation to a domain controller.
ENVIRONMENT
WINDOWS
OS
BUILD NO.
REMARKS
WIN-BO2CT95INDP
Windows Server 2016 Standard
10.0.14393 Build 14393
Collector Machine
APPLICATIONS/TOOLS USED
Windows SDK (Development Kit):
ecmangen.exe
mc.exe (Message Compiler)
rc.exe (Resource Compiler)
csc.exe (C# Compiler)
wevtutil
ecmangen.exe was removed from the Windows 10 SDK starting from 10.0.16299.15
Parallel installations of Windows SDK are allowed.
In this case, Windows 10 SDK (10.0.14393.795) was installed alongside the latest SDK version.
csc.exe is included in the Microsoft .NET Framework.
.NET Framework is native to Windows Operating Systems.
The Framework's version depends on the OS installed.
wevtutil is a command native to the Command Prompt
PROCEDURE
1. Create a manifest file
Open ecmangen.exe
:
Create a new provider:
On the left panel, right click on
Events Section
then select New -> Provider.Fill up the following fields:
FIELD
VALUE
Name
WEF-Events
Symbol
WEF_Events
GUID
Press "New" beside the input field
Resources
C:\Windows\System32\WEF-Events.dll
Messages
C:\Windows\System32\WEF-Events.dll
On the right panel, click on Save
. Then, create a new template:
On the left panel, under
WEF-Events
, selectTemplates
.On the right panel, select
New Template
.Fill up the following fields:
FIELD
VALUE
Name
WEF-Template
Add
Field Attributes
:Name
InType
OutType
Count
Length
Unicode
win:UnicodeString
xs:string
default
default
UInt32
win:UInt32
xs:unsignedInt
default
-
On the right panel, click
Save
.
Create channels (maximum of 8):
On the left panel, under
WEF-Events
, selectChannels
.On the right panel, select
New Channel
.Fill up the following fields:
NAME
SYMBOL
TYPE
ENABLE
DESCRIPTION
CHANNEL SECURITY
WEF-Security
WEF_Security
Operational
Yes
DC Security Logs
Default
WEF-System
WEF_System
Operational
Yes
DC System Logs
Default
WEF-PowerShell
WEF_PowerShell
Operational
Yes
DC PowerShell Logs
Default
WEF-Sysmon
WEF_Sysmon
Operational
Yes
DC Sysmon Logs
Default
On the right panel, click
Save
.
Create a new event:
On the left panel, under
WEF-Events
, selectEvents
.On the right panel, select
New Event
.Fill up the following fields:
FIELD
VALUE
Symbol
WEF_Event
Event ID
6969
Message
$(string.WEF-Events.event.6969.message)
Channel
WEF-Security
Template
WEF-Template
Keywords
`win:AuditSuccess`, `win:AuditFailure`
On the right panel, click on
Save
.
Save the manifest file as "WEF_Events.man"
Avoid using the character, '
-
', in the filename.The generated C# file during compiling will face an error.
Resulting manifest file (XML formatted):
2. Compile the manifest file and generate relevant files (e.g. WEF-Events.dll)
Press Win
+ R
then enter cmd
and navigate to where WEF_Events.man
was saved. Then, enter the following commands:
1. mc.exe (Message Compiler)
The compiler generates the message resource files to which your application links.
Switches used:
OPTION
DESCRIPTION
-css <namespace>
Generates a static C# class
It includes the methods that you would call to log the events defined in your manifest
File(s) generated after execution:
MSG00001.bin
WEF_Events.cs
WEF_Events.h
WEF_Events.rc
WEF_EventsTEMP.bin
2. rc.exe (Resource Compiler)
rc.exe
compiles an application's resources and could be used to build Windows-based applications.File(s) generated after execution:
WEF_Events.res
3. csc.exe (C# Compiler)
No output means the command was successfully executed
Switches used:
OPTION
DESCRIPTION
/win32res:<file>
Specify a Win32 resource file (.res)
/unsafe
Allow 'unsafe' code
/target:library
Build a library (Short form: /t:library)
/out:<file>
Specify output file name (default: base name of file with main class or first file)
File(s) generated after execution -- WEF_Events.dll
3. Install the manifest file with the matching dll file:
Move both files to the
C:\Windows\System32
directory:Install the manifest file using
wevtutil
:
4. The created logs should appear under Applications and Services Logs
inside Event Viewer
Applications and Services Logs
inside Event ViewerThe logs generated could be used for created subscriptions.
Additional columns could be added/removed from the logs (e.g.
Log
,Computer
)
REFERENCES
Last updated