This repository hosts content for aiding administrators in collecting security relevant Windows event logs using Windows Event Forwarding (WEF). This repository is a companion to Spotting the Adversary with Windows Event Log Monitoring paper. The list of events in this repository are more up to date than those in the paper.
The repository contains:
- Recommended Windows events to collect. Regardless of using WEF or a third party SIEM, the list of recommended events should be useful as a starting point for what to collect. The list of events in this repository are more up to date than those in the paper.
- Scripts to create custom Event Log views and create WEF subscriptions.
- WEF subscriptions in XML format.
- Added Event IDs that have been added within the security updates of August 11, 2020 due to CVE-2020-1472, Netlogon Elevation of Privilege Vulnerability
- Added Event ID 4697, as recommended to detect MITTRE ATT&CK Technique T1543.003 - Create or Modify System Process: Windows Service.
Security Monitoring recommendation are available from Microsoft - Added Event ID 4768, as recommended to detect MITTRE ATT&CK Technique T1558.004 - Steal or Forge Kerberos Tickets: AS-REP Roasting.
Security Monitoring recommendation are available from Microsoft - Added Event ID 4738(S) & 4670(S) as recommended to detect MITTRE ATT&CK Technique T1098 - Account Manipulation.
Security Monitoring recommendation are available from Microsoft - Added Event ID 4724 as recommended by Microsoft
Here below are some tips that can either help you to:
- Prevent directly threats
- Increase your visibility
The example are some tools that are free. Some of them can be bypass, but even if it will be bypass, the attacker will:
- Have to see that's it is there
- Search a way to bypass it
- It will create logs that can be correlated with all the events you already gathered.
- It will generate noise by the attackers.
AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.
When AppLocker policy enforcement is set to Enforce rules, rules are enforced for the rule collection and all events are audited.
When AppLocker policy enforcement is set to Audit only, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log.
I would recommend to setup at least the audit log on your critical assets.
If you don't have an EDR (Endpoint Protection & Responce) that provides you more visibility on endpoint for detection and response, I would recomment to have a look at Sysmon.
Sysmon is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Here are some configurations you can use as an example:
Note that it is pretty common to see Sigma rules that leverage Sysmon logs, and it there are a lot of resources for well used security solutions such as QRadar, Splunk, Azure Sentinel, ...
- Microsoft Windows Event Forwarding resources
- Use Windows Event Forwarding to help with intrusion detection
- Windows 10 and Windows Server 2016 security auditing and monitoring reference
- Microsoft's Threat Protection: Advanced security audit policy settings
- Microsoft's Threat Protection: Security auditing
- List of important events from Microsoft
- Microsoft SysInternals Sysmon
- ACSC GitHub Windows Event Logging repository
- ACSC Windows Event Logging Technical Guidance
- Creating Custom Windows Event Forwarding Logs
- Introducing Project Sauron
- Project Sauron GitHub repository
- Windows Event Forwarding for Network Defense
- Palantir Windows Event Forwarding GitHub repository
See LICENSE.
See DISCLAIMER.