NCC Group Security Labs - Windows Activity Logger: the all-seeing-eye
Providing You a Window of Detailed Insight
NCC Group Labs has developed a product designed to provide unparalleled insight in to the activities of sophisticated threat actors on Microsoft Windows hosts.
The product is pro-actively deployed across your Microsoft Windows estate with no discernible impact on system performance.
The product works by creating a three hour rolling window of insight into system activity without polluting your Microsoft Windows Event Log. The data logged includes:
- Process creation including command line and parameters.
- Thread creation.
- LoadImage events.
- Windows Registry key creation, deletion and renaming.
- TCP and UDP connections including remote host address, port and source process ID.
- File system activity such as creation, deletion and renaming.
In the free version of the product, the log can be obtained from the host by running a simple command line tool.
in the commercial version of the product not only do you get world class support you are also able to configure the product to send its logs to a central location.
Free or commercial
Free to use on up to 10 hosts (physical or virtual) in a single organization.
If you are interested in buying a copy simply contact either:
- Your NCC Group account manager referencing 'NCC Group Windows Activity Logger'
- Central sales via e-mail at WindowsActivityLogger@nccgroup.com
You can download the installation packages using the links on the right.
If you've run into a bug even as an unpaid user feel free to contact bug reports via e-mail.
How To Use
Firstly install the product and allow it to collect logs. To obtain the log window run the following commands from your search path (the binaries reside in '%PROGRAMFILES%\NCC Group\Windows Activity Logger'):
|LogFileReader todisk||Causes the current window of logs to be dumped to disk in %ALLUSERSPROGRAMDATA% (e.g. C:\ProgramData\)|
|LogFileReader toxml C:\ProgramData\
note:: requires administrator access.
|This command processes all files in a folder. each xml file is typically 1.5 times the size of the source file.|
How To Upgrade
Simply install the new version and the driver, service and command line tool will be automatically updated.
All Windows Registry settings are stored under 'HKLM\Software\NCC Group\Windows Activity Logger'
|Log Level||DWORD||Controls the amount of data going to the event log.
1. Errors only
2. Errors and Warnings
3. Errors, warnings & Info
|SaveOnStop||DWORD||Saves files when service is stopped
0 - No
1 - Yes
|SaveOnShutdown||DWORD||Saves files when service is shut down
0 - No
1 - Yes
|MaxRam||DWORD||Approximate limit on RAM usage (MB). - minimum 64MB||Installer sets to 50% available RAM.
2048 MB when entry not present.
1.0.6 - November 27, 2014: turned down the Eventlog logging and further increased performance.
1.0.5 - November 26, 2014: added understanding of protected processes.
1.0.4 - November 24, 2014: added parent PID of the process to the output XML.
1.0.3 - November 22, 2014: added username of the process to the output XML.
1.0.2 - November 21, 2014: adjustments in how log files are stored.
1.0.0 - November 19, 2014: initial release.