Threat Hunting with Windows Event Forwarding

In this course we will learn about Windows Event Forwarding. Not many people are aware of it and take advantage of this built-in native tool. Windows Event Forwarding (WEF) is a way you can get any or all event logs from Windows computers and collect them on one or more Windows Event Collector (WEC) servers.

We will provide a framework for detecting current Active Directory attack methods used by red teams for penetration testing including Lateral Movement and best practices from across the globe. The default configuration of windows does not track events required for investigation of incidents. In this course, we will provide configurations to allow you to setup verbose logging to detect suspicious events.

Prerequisites:

Understand and configure Active Directory Group Policies. Need to be familiar with Windows event logs. Need one or more Windows servers for event collection.

Course Goals:

By the end of the course, students should be able to:

• Configure Windows Event Logging to capture malicious activity like Lateral Movement
• Collect events from Windows servers and workstations using Windows Event Collector (WEC)
• Use a threat detection framework from MITRE to perform hunt for malicious activity like Lateral Movement

• Module 1: What is Windows Event Forwarding?
• 1.1 Introduction
• 1.2 Native Windows Event Forwarding
• Module 2: Prerequisites for Setting up Windows Event Forwarding
• 2.1 Group Policy for Event Collection
• 2.2 Microsoft System Monitor (SysMon)
• 2.3 Which Events to log for the Threat Hunt Part 1
• 2.4 Which Events to log for the Threat Hunt Part 2
• Module 3: Configure Windows Event Collector (WEC)
• 3.1 Configure Windows Event Collector (WEC) Part 1
• 3.2 Configure Windows Event Collector (WEC) Part 2
• 3.3 Scaling and Performance of Windows Event Collection
• Module 4: MITRE ATT&CK
• 4.1 MITRE ATT&CK Framework
• Module 5: Lateral Movement Case Study
• 5.1 Lateral Movement as a Case Study