Home
The following is a sanitized guide (system identifiers removed to protect the legally bound) that was created to document some adventures in Windows event forwarding. Hopefully you will find it useful.
Microsoft seems to have taken some ideas from Syslog and maybe have made things better. They developed an eventing service managed via GPO and Event Subscriptions. In our implementation, we deployed three source-initiated subscriptions and deployed them on three Azure servers. Before we get into details, here are some recommended readings:
- Blog entry introducing WEF: https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/
- Setting up a source initiated subscription: https://msdn.microsoft.com/en-us/library/bb870973(v=vs.85).aspx
- Tiered Subscriptions: https://blogs.msdn.microsoft.com/canberrapfe/2015/09/21/diy-client-monitoring-setting-up-tiered-event-forwarding/
- Palantir's take on WEF: https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f (blog) and https://github.com/palantir/windows-event-forwarding (code)
- Microsoft's suggestions for intrusion detection using WEF: https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
- Intro on using WEF: https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4
- neu5ron's work on WEF: https://github.com/neu5ron/WinLogsZero2Hero
- HELK - collecting windows events with the ELK stack: https://github.com/Cyb3rWard0g/HELK/tree/master/helk-logstash/pipeline
- elastic.co's configuration: https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html
- adsecurity.org's BlackHat 2018 presentation on AD security, including noteworthy event IDs: https://adsecurity.org/wp-content/uploads/2018/08/us-18-Metcalf-From-Workstation-To-Domain-Admin-Why-Secure-Administration-Isnt-Secure-Final.pdf
- FireEye article about PowerShell logging - https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html
- Black Hills Information Security article on PowerShell logging for the Blue Team - https://www.blackhillsinfosec.com/powershell-logging-blue-team/
- SANS PowerShell Get-WinEvent cheat sheet - https://wiki.sans.blue/#!Tools/Get-WinEvent.md
- Chad Tilbury presentation at SANS Network Security: https://www.dropbox.com/s/9nqw3m2csh1cmu3/Investigating_WMI_Attacks_Tilbury.pdf?dl=0
For the setup we'll be describing here, we reference a Windows server/client environment with multiple domain controllers. Our Active Directory environment has been implemented such that client computers, windows servers, and domain controllers are each in their own organizational units. This will become important later when dealing with group policy configuration. For reference, domain controllers will be talking with an event collector called azurebox1, the Windows server collector will be talking to azurebox2, and Windows clients.will be talking to azurebox3.
