Custom EVTX Logs

SUMMARY

This lays out how to create a subscription (both source and collector initiated) that collects selected forwarded .evtx event logs from a workstation to a domain controller.

ENVIRONMENT

WINDOWS

BUILD NO.

REMARKS

WIN-BO2CT95INDP

Windows Server 2016 Standard

10.0.14393 Build 14393

Collector Machine

APPLICATIONS/TOOLS USED

Windows SDK (Development Kit):
- ecmangen.exe
- mc.exe (Message Compiler)
- rc.exe (Resource Compiler)
csc.exe (C# Compiler)
wevtutil

ecmangen.exe was removed from the Windows 10 SDK starting from 10.0.16299.15
- Parallel installations of Windows SDK are allowed.
- In this case, Windows 10 SDK (10.0.14393.795) was installed alongside the latest SDK version.
csc.exe is included in the Microsoft .NET Framework.
- .NET Framework is native to Windows Operating Systems.
- The Framework's version depends on the OS installed.
wevtutil is a command native to the Command Prompt

PROCEDURE

1. Create a manifest file

Open ecmangen.exe:

C:\Program Files (x86)\Windows Kits\10\bin\x64\ecmangen.exe

Create a new provider:

On the left panel, right click on Events Section then select New -> Provider.
Fill up the following fields:
FIELD
VALUE
Name
WEF-Events
Symbol
WEF_Events
GUID
Press "New" beside the input field
Resources
C:\Windows\System32\WEF-Events.dll
Messages
C:\Windows\System32\WEF-Events.dll

On the right panel, click on Save. Then, create a new template:

On the left panel, under WEF-Events, select Templates.
On the right panel, select New Template.
Fill up the following fields:
FIELD
VALUE
Name
WEF-Template
Add Field Attributes:
Name
InType
OutType
Count
Length
Unicode
win:UnicodeString
xs:string
default
default
UInt32
win:UInt32
xs:unsignedInt
default
-
On the right panel, click Save.

Create channels (maximum of 8):

On the left panel, under WEF-Events, select Channels.
On the right panel, select New Channel.
Fill up the following fields:
NAME
SYMBOL
TYPE
ENABLE
DESCRIPTION
CHANNEL SECURITY
WEF-Security
WEF_Security
Operational
Yes
DC Security Logs
Default
WEF-System
WEF_System
Operational
Yes
DC System Logs
Default
WEF-PowerShell
WEF_PowerShell
Operational
Yes
DC PowerShell Logs
Default
WEF-Sysmon
WEF_Sysmon
Operational
Yes
DC Sysmon Logs
Default
On the right panel, click Save.

Create a new event:

On the left panel, under WEF-Events, select Events.
On the right panel, select New Event.
Fill up the following fields:
FIELD
VALUE
Symbol
WEF_Event
Event ID
6969
Message
$(string.WEF-Events.event.6969.message)
Channel
WEF-Security
Template
WEF-Template
Keywords
`win:AuditSuccess`, `win:AuditFailure`
On the right panel, click on Save.

Save the manifest file as "WEF_Events.man"

Avoid using the character, '-', in the filename.
- The generated C# file during compiling will face an error.

Resulting manifest file (XML formatted):

<?xml version="1.0"?>
<instrumentationManifest xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd" xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace">
  <instrumentation>
 <events>
      <provider name="WEF-Events" guid="{CB3EB4AA-FEDD-41C4-A7BB-E173045E4DC7}" symbol="WEF_Events" resourceFileName="C:\Windows\System32\WEF_Events.dll" messageFileName="C:\Windows\System32\WEF_Events.dll">
        <events>
          <event symbol="WEF_Event" value="6969" version="0" channel="WEF-Security" template="WEF-Template" keywords="win:AuditSuccess win:AuditFailure " message="$(string.WEF-Events.event.6969.message)"></event>
        </events>
        <channels>
          <channel name="WEF-Security" chid="WEF-Security" symbol="WEF_Security" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_Security.message)"></channel>
          <channel name="WEF-System" chid="WEF-System" symbol="WEF_System" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_System.message)"></channel>
          <channel name="WEF-PowerShell" chid="WEF-PowerShell" symbol="WEF_PowerShell" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_PowerShell.message)"></channel>
          <channel name="WEF-Sysmon" chid="WEF-Sysmon" symbol="WEF_Sysmon" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_Sysmon.message)"></channel>
        </channels>
        <keywords></keywords>
        <templates>
          <template tid="WEF-Template">
            <data name="Unicode" inType="win:UnicodeString" outType="xs:string"></data>
        <data name="UInt32" inType="win:UInt32" outType="xs:unsignedInt"></data>
          </template>
        </templates>
      </provider>
    </events>
  </instrumentation>
  <localization>
    <resources culture="en-US">
      <stringTable>
        <string id="keyword.AuditSuccess" value="Audit Success"></string>
        <string id="keyword.AuditFailure" value="Audit Failure"></string>
        <string id="WEF-Events.event.6969.message" value="$(string.WEF-Events.event.6969.message)"></string>
        <string id="WEF-Events.channel.WEF_System.message" value="DC System Logs"></string>
        <string id="WEF-Events.channel.WEF_Sysmon.message" value="DC Sysmon Logs"></string>
        <string id="WEF-Events.channel.WEF_Security.message" value="DC Security Logs"></string>
        <string id="WEF-Events.channel.WEF_PowerShell.message" value="DC PowerShell Logs"></string>
      </stringTable>
    </resources>
  </localization>
</instrumentationManifest>

2. Compile the manifest file and generate relevant files (e.g. WEF-Events.dll)

Press Win + R then enter cmd and navigate to where WEF_Events.man was saved. Then, enter the following commands:

1. mc.exe (Message Compiler)

   "C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe" WEF_Events.man
   "C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe" -css WEF_Events.DummyEvent WEF_Events.man

The compiler generates the message resource files to which your application links.
Switches used:
OPTION
DESCRIPTION
-css <namespace>
Generates a static C# class
It includes the methods that you would call to log the events defined in your manifest

File(s) generated after execution:

MSG00001.bin
WEF_Events.cs
WEF_Events.h
WEF_Events.rc
WEF_EventsTEMP.bin

2. rc.exe (Resource Compiler)

"C:\Program Files (x86)\Windows Kits\10\bin\x64\rc.exe" WEF_Events.rc

# Microsoft (R) Windows (R) Resource Compiler Version 10.0.10011.16384
# Copyright (C) Microsoft Corporation.  All rights reserved.

rc.exe compiles an application's resources and could be used to build Windows-based applications.
File(s) generated after execution:
- WEF_Events.res

3. csc.exe (C# Compiler)

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /win32res:WEF_Events.res /unsafe /target:library /out:WEF_Events.dll WEF_Events.cs

No output means the command was successfully executed
Switches used:
OPTION
DESCRIPTION
/win32res:<file>
Specify a Win32 resource file (.res)
/unsafe
Allow 'unsafe' code
/target:library
Build a library (Short form: /t:library)
/out:<file>
Specify output file name (default: base name of file with main class or first file)
File(s) generated after execution -- WEF_Events.dll

3. Install the manifest file with the matching dll file:

Move both files to the C:\Windows\System32 directory:

copy .\WEF_Events.man C:\Windows\System32\WEF_Events.man
copy .\WEF_Events.dll C:\Windows\System32\WEF_Events.dll

Install the manifest file using wevtutil:

wevtutil im C:\Windows\System32\WEF_Events.man

4. The created logs should appear under `Applications and Services Logs` inside Event Viewer

The logs generated could be used for created subscriptions.
Additional columns could be added/removed from the logs (e.g. Log, Computer)

REFERENCES

- https://blogs.technet.microsoft.com/russellt/2016/05/18/creating-custom-windows-event-forwarding-logs/
- https://stackoverflow.com/questions/53028775/cannot-locate-ecmangen
- https://developer.microsoft.com/en-us/windows/downloads/sdk-archive
- https://blogs.msdn.microsoft.com/astebner/2007/03/14/mailbag-what-version-of-the-net-framework-is-included-in-what-version-of-the-os/
- https://docs.microsoft.com/en-us/windows/win32/wes/message-compiler--mc-exe-
- https://docs.microsoft.com/en-us/windows/win32/menurc/using-rc-the-rc-command-line-

PreviousWindows Event Fowarder NextFlags

Last updated 2 years ago