| WINDOWS | OS | BUILD No. | REMARKS |
|---|---|---|---|
| WIN-BO2CT95INDP | Windows Server 2016 Standard | 10.0.14393 Build 14393 | Collector Machine |
- Windows SDK (Development Kit):
- ecmangen.exe
- mc.exe (Message Compiler)
- rc.exe (Resource Compiler)
- csc.exe (C# Compiler)
- wevtutil
NOTE(S):
- ecmangen.exe was removed from the Windows 10 SDK starting from 10.0.16299.15
- Parallel installations of Windows SDK are allowed.
- In this case, Windows 10 SDK (10.0.14393.795) was installed alongside the latest SDK version.
- csc.exe is included in the Microsoft .NET Framework.
- .NET Framework is native to Windows Operating Systems.
- The Framework's version depends on the OS installed.
- wevtutil is a command native to the Command Prompt
-
Create a manifest file:
-
Open
ecmangen.exe:C:\Program Files (x86)\Windows Kits\10\bin\x64\ecmangen.exe -
Create a new provider:
-
On the left panel, right click on
Events Sectionthen select New -> Provider. -
Fill up the following fields:
FIELD VALUE Name WEF-EventsSymbol WEF_EventsGUID Press Newbeside the input fieldResources C:\Windows\System32\WEF-Events.dllMessages C:\Windows\System32\WEF-Events.dll -
On the right panel, click on
Save.
-
-
Create a new template:
-
On the left panel, under
WEF-Events, selectTemplates. -
On the right panel, select
New Template. -
Fill up the following fields:
FIELD VALUE Name WEF-Template -
Add
Field Attributes:Name InType OutType Count Length Unicode win:UnicodeString xs:string default default UInt32 win:UInt32 xs:unsignedInt default - -
On the right panel, click
Save.
-
-
Create channels (maximum of 8):
-
On the left panel, under
WEF-Events, selectChannels. -
On the right panel, select
New Channel. -
Fill up the following fields:
NAME SYMBOL TYPE ENABLE DESCRIPTION CHANNEL SECURITY WEF-Security WEF_Security Operational Yes DC Security Logs Default WEF-System WEF_System Operational Yes DC System Logs Default WEF-PowerShell WEF_PowerShell Operational Yes DC PowerShell Logs Default WEF-Sysmon WEF_Sysmon Operational Yes DC Sysmon Logs Default -
On the right panel, click
Save.
-
-
Create a new event:
-
On the left panel, under
WEF-Events, selectEvents. -
On the right panel, select
New Event. -
Fill up the following fields:
FIELD VALUE Symbol WEF_EventEvent ID 6969Message $(string.WEF-Events.event.6969.message)Channel WEF-SecurityTemplate WEF-TemplateKeywoards win:AuditSuccess,win:AuditFailure -
On the right panel, click on
Save.
-
-
Save the manifest file as "WEF_Events.man"
NOTE(S):
-
Avoid using the character, '
-', in the filename.- The generated C# file during compiling will face an error.
-
Resulting manifest file (XML formatted):
<?xml version="1.0"?> <instrumentationManifest xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd" xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace"> <instrumentation> <events> <provider name="WEF-Events" guid="{CB3EB4AA-FEDD-41C4-A7BB-E173045E4DC7}" symbol="WEF_Events" resourceFileName="C:\Windows\System32\WEF_Events.dll" messageFileName="C:\Windows\System32\WEF_Events.dll"> <events> <event symbol="WEF_Event" value="6969" version="0" channel="WEF-Security" template="WEF-Template" keywords="win:AuditSuccess win:AuditFailure " message="$(string.WEF-Events.event.6969.message)"></event> </events> <channels> <channel name="WEF-Security" chid="WEF-Security" symbol="WEF_Security" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_Security.message)"></channel> <channel name="WEF-System" chid="WEF-System" symbol="WEF_System" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_System.message)"></channel> <channel name="WEF-PowerShell" chid="WEF-PowerShell" symbol="WEF_PowerShell" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_PowerShell.message)"></channel> <channel name="WEF-Sysmon" chid="WEF-Sysmon" symbol="WEF_Sysmon" type="Operational" enabled="true" message="$(string.WEF-Events.channel.WEF_Sysmon.message)"></channel> </channels> <keywords></keywords> <templates> <template tid="WEF-Template"> <data name="Unicode" inType="win:UnicodeString" outType="xs:string"></data> <data name="UInt32" inType="win:UInt32" outType="xs:unsignedInt"></data> </template> </templates> </provider> </events> </instrumentation> <localization> <resources culture="en-US"> <stringTable> <string id="keyword.AuditSuccess" value="Audit Success"></string> <string id="keyword.AuditFailure" value="Audit Failure"></string> <string id="WEF-Events.event.6969.message" value="$(string.WEF-Events.event.6969.message)"></string> <string id="WEF-Events.channel.WEF_System.message" value="DC System Logs"></string> <string id="WEF-Events.channel.WEF_Sysmon.message" value="DC Sysmon Logs"></string> <string id="WEF-Events.channel.WEF_Security.message" value="DC Security Logs"></string> <string id="WEF-Events.channel.WEF_PowerShell.message" value="DC PowerShell Logs"></string> </stringTable> </resources> </localization> </instrumentationManifest>
-
-
-
Compile the manifest file and generate relevant files (e.g. WEF-Events.dll)
-
Press
Win+Rthen entercmd. -
Navigate to where
WEF_Events.manwas saved. -
Enter the following commands:
-
mc.exe (Message Compiler)
"C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe" WEF_Events.man "C:\Program Files (x86)\Windows Kits\10\bin\x64\mc.exe" -css WEF_Events.DummyEvent WEF_Events.man
NOTE(S):
-
The compiler generates the message resource files to which your application links.
-
Switches used:
OPTION DESCRIPTION -css <namespace> - Generates a static C# class
- It includes the methods that you would call to log the events defined in your manifest
-
File(s) generated after execution:
- MSG00001.bin
- WEF_Events.cs
- WEF_Events.h
- WEF_Events.rc
- WEF_EventsTEMP.bin
-
-
rc.exe (Resource Compiler)
"C:\Program Files (x86)\Windows Kits\10\bin\x64\rc.exe" WEF_Events.rc # Microsoft (R) Windows (R) Resource Compiler Version 10.0.10011.16384 # Copyright (C) Microsoft Corporation. All rights reserved.NOTE(S):
-
rc.execompiles an application's resources and could be used to build Windows-based applications. -
File(s) generated after execution:
- WEF_Events.res
-
-
csc.exe (C# Compiler)
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /win32res:WEF_Events.res /unsafe /target:library /out:WEF_Events.dll WEF_Events.csNOTE(S):
-
No output means the command was successfully executed
-
Switches used:
OPTION DESCRIPTION /win32res:<file> Specify a Win32 resource file (.res) /unsafe Allow 'unsafe' code /target:library Build a library (Short form: /t:library) /out:<file> Specify output file name (default: base name of file with main class or first file) -
File(s) generated after execution:
- WEF_Events.dll
-
-
-
-
Install the manifest file with the matching dll file:
-
Move both files to the
C:\Windows\System32directory:copy .\WEF_Events.man C:\Windows\System32\WEF_Events.man copy .\WEF_Events.dll C:\Windows\System32\WEF_Events.dll
-
Install the manifest file using
wevtutil:wevtutil im C:\Windows\System32\WEF_Events.man
-
-
The created logs should appear under
Applications and Services Logsinside Event ViewerNOTE(S):
- The logs generated could be used for created subscriptions.
- Additional columns could be added/removed from the logs (e.g.
Log,Computer)
- https://blogs.technet.microsoft.com/russellt/2016/05/18/creating-custom-windows-event-forwarding-logs/
- https://stackoverflow.com/questions/53028775/cannot-locate-ecmangen
- https://developer.microsoft.com/en-us/windows/downloads/sdk-archive
- https://blogs.msdn.microsoft.com/astebner/2007/03/14/mailbag-what-version-of-the-net-framework-is-included-in-what-version-of-the-os/
- https://docs.microsoft.com/en-us/windows/win32/wes/message-compiler--mc-exe-
- https://docs.microsoft.com/en-us/windows/win32/menurc/using-rc-the-rc-command-line-