Using Whitelists with LOG-MD provides you a way of filtering out the Good Junk, or at least what you think is not malicious. When you first start using LOG-MD Free Edition you will find that Report.csv will have a lot of events you think, or expect are normal noise and have obvious executions to reinforce they are normal. You must be careful when using whitelists in that you do not want to filter out items that can be used maliciously or that are too broad and filter out more than intended. It is recommended you start out conservatively until you understand the impact of what you are filtering out. The great thing about LOG-MD is that the items you do add to the whitelists are not really gone, they are moved to the report Report_Whitelisted_out.csv allowing you to review the exclusions and undo anything you actually want to keep.
LOG-MD Free Edition provides 3 whitelists to filter down the events harvested from the logs, the whitelists are:
- Whitelist_Log_Cmd_and_Process.txt
- Whitelist_Log_IP_Address.txt
- Whitelist_Log_File_and_Registry.txt
Let's look at the first whitelist "Whitelist_Log_Cmd_and_Process.txt". This whitelist focuses on Process Creation or Event ID 4688. The two columns that are filtered in this whitelist are:
- Column E - Process_Command_Line/CommandLine
- Column I - New_Process_Name/App_Name/Image
It is recommended that you focus on and filter out the Process Command Line as this is the most unique data to exclude those items that contain the unique command line execution.
Example: In Windows 10 the popup keyboard command tabtip has some unique command lines, the process name that executes tabtip is:
- c:\program files\common files\microsoft shared\ink\tabtip.exe
Now if you look at the actual command line that is executed as a part of tabtip it looks like this:
- /quitinfo:0000000000000a30;0000000000000ac8;
- /quitinfo:0000000000000b28;0000000000000b0c;
- /quitinfo:0000000000000b28;0000000000000b0c;
- /quitinfo:0000000000000b44;0000000000000b28;
- /quitinfo:0000000000000b44;0000000000000b28;
- /quitinfo:0000000000000b44;0000000000000b28;
- /quitinfo:0000000000000bcc;0000000000000bd8;
- /quitinfo:0000000000000bf4;0000000000000a1c;
So which do you add to the whitelist? The Process Name or Command Line? Rule #1, always by Command Line. What you cannot predict is what exploit the malwarians might come up with for tabtip.exe in the future.
For example, there is an exploit for sysprep.exe, a well known windows admin utility that is usually just executed with sysprep.exe, but the malwarians figured out that if you write a malicious Dll named Cryptbase.dll you can execute the following command line and compromise the system, or at least elevate privileges.
- Sysprep cryptbase.dll
So if you had whitelisted out by process name sysprep.exe, then you would whitelist out any malicious execution as well. Moral of the story is, whitelist out primarily by Command Line executions and use Process Name ONLY when you are certain the command is useless noise without any value.
To get back to our tabtip example, you can combine all eight of these command line executions into one whitelist exclusion by using the following:
- /quitinfo:0000000000000
This exclusion takes care of all eight of the tabtip executions, and any others that are similar and unique enough and avoid any malicious uses of the command if they were to occur.
And that is how you use Whitelist_Log_Cmd_and_Process to exclude the Good Junk from LOG-MD!
Happy Hunting!