WEF Application Setup Instructions

This REPO contains all the files needed for using Windows Event Forwarding to monitor an environment for intruders. This assumes that you have referenced the Windows Event Logging Cheat Sheet for logging in your environment. Use LOG-MD or CIS-CAT to ensure the recommended logging is configured. You will also need to configure WinRM in your environment. This can be done by following the instructions at the WinRM over HTTPS page on this site.

General steps to set up this package. 

CONFIGURE (This should be configured in your environment)

• WinRM over HTTPS

DOWNLOAD & INSTALL (These need to be installed on the centralized WEF collection server)

• SSMS (SQL Server Management Studio)
• Microsoft SQL Server (Express a.k.a Free Version Will Work)
• ASP.NET 3.1 Core Runtime
• ASP.NET 3.1 SDK
• Visual Studio

SIDE NOTE 1: It is considered best practice to have the SQL server installed on a separate device than the one hosting the application. I did not abide by this here. As long as there are not any SQL Injections and least privilege permissions are applied to accounts that can access the SQL database, this should not be a concern. 

SIDE NOTE 2: It is also best practice to have a development server that pushes out web application builds to the production server. I do not know what resources or extras may be available to a company. As such I am treating this to be as bare minimum as possible. These are subjects that can be learned in other areas of the web. I am just showing you how to set up this security package and need to draw the line somewhere. Feel free to use my instructions and then uninstall Visual Studio from the server when you are done with setup.

• DomainComputers.xml Windows Event Forwarding Config file for Domain Computers. can be applied on the source collector using the command: wecutil cs DomainComputers.xml
• DomainControllers.xml Windows Event Forwarding Config file for Domain Controllers can be applied on the source collector using the command: wecutil cs DomainControllers.xml
• Import-EventsHourly.ps1 PowerShell script that imports collected WEF events into SQL database
• ImportTheScheduledTasks.ps1 This is an optional script that can be used to import XML files to the task scheduler, effectively creating the required scheduled tasks on the centralized WEF server
• Query to Create MSSQL DB Table Creates the required database and table configuration for the MSSQL server database. Open the SSMS application, start a New Query, and execute the contents of this file inside the query. This will build the SQL database used by the WEF Application.
• SQL-Query-Suspicious-Events.ps1 PowerShell script that discovers possible indicators of compromise and sends and an email alert.
• TaskForSQLQueryEventsMonitor.xml Task Scheduler import file that goes with SQL-Query-Suspicious-Events.ps1. This executes on SQL-Query-Suspicious-Events.ps1 on the hour. If any new events are viewed as possible indications of compromise an alert email will be sent out.
• TaskImportFile.xml Task Scheduler Import file that goes with Import-EventsHourly.ps1. This task will execute the Import-EventsHourly.ps1 script once an hour on the half hour, importing the most recent events into the SQL database.
• WEFStartupScript.ps1 This should be the startup script on all devices sending events to the source WEF collector. This ensures that the WinRM service has the correct permissions, the service is running, and the service is available to send info to the source event collector.

Now that WinRM over HTTPS is configured and the Group Policy Settings have been applied using instructions from the previous page we can being setting up the configuration of the source collector. If you have not done this yet that is not a big deal as it should not matter what order these tasks are carried out.

In order to use the DomainComputers.xml and DomainControllers.xml config files in Windows Event Forwarding the below commands must be issued in an Administrator Command Prompt. Place the files DomainComputers.xml and DomainControllers.xml in the directory C:\Users\Public\Documents. Then open a Command Prompt or PowerShell window as an Administrator. This can be done with the key combo Windows Key + X, A

wecutil cs C:\Users\Public\Documents\DomainComputers.xml

wecutil cs C:\Users\Public\Documents\DomainControllers.xml

Create the SQL database schema and table.

1. Open SSMS (SQL Server Management Studio)
2. Sign in using an Administrator account to the default selected instance
3. Click "Execute New Query" in the top ribbon. This will open a text window
4. Copy and paste the contents of Query to Create MSSQL DB Table into the query and click "Execute". This builds your SQL Database table where events will be imported.

The below two steps can be accomplished by executing the "ImportTheScheduledTasks.ps1". I have this automatically search for the XML files that need to be imported into Task Scheduler. Long as you do not rename the files in this repository this should go off without a hitch. 

USER YOU SELECT: The above script will prompt you for a username to use in the Task Schedulers execution of alerting and import files. The user you define will need to have been configured to have "Log on as batch job" permissions and "Log on as service" permissions. This is done through Group Policy at "Computer Configuration > Windows Settings > Security Settings > User Rights Assignment" Both of the mentioned settings will be in this GPO location. 

SQL USER PERMISSIONS: Once this is done you will need to assign this user with "Log on as batch job" permissions to have read and write access to the SQL database. Do this by opening SSMS and signing into the default instance. In the "Object Explorer Window" on the left hand side you will need to expand the Databases tree, expand the Security Tree, expand the Users tree. The right click on User and select Add User if the name is not there. Add the user with "Log on as batch" permissions. Right click on the newly added user who is now existing in the expanded User tree. Assign the user db_datareader and db_datawriter permissions.

SKIP: You can skip to Step 5 if you have imported the tasks by executing "ImportTheScheduledTasks.ps1"

Create the Scheduled Task to Import Events into SQL Database 

• Place the powershell script Import-EventsHourly.ps1 into C:\Users\Public\Documents (this is to match the Task Template in this repo) or wherever you prefer to store this script. Be sure to sign it with a trusted Code Signing Certificate in your environment (Import Code Signing Cert Info "Trusted Publishers" store in certmgr.msc). This prevents it from running malicious code. Modify the permissions so  only administrators can modify the script. Have this run every hour on minute 55. This leaves time for the events to get imported into the SQL database. Then on the hour, have the next task run. 
• Create a scheduled task that runs once an hour on the hour. You can use my template TaskImportFile.xml. Import this task and you should only need to define the user with Batch and Service permissions to run the script. 

Below is the PowerShell Command to use code signing certificates to sign a script.

Set-AuthenticodeSignature C:\Users\Public\Documents\Import-EventsHourly.ps1 @(Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0]

Create Monitoring and Alert Task

1. Add SQL-Query-Suspicous-Events.ps1 to C:\Users\Public\Documents which will match with the location of my XML template. Be sure to sign in with a trusted Code Signing Certificate (Import Code Signing Cert Info "Trusted Publishers" store in certmgr.msc) in your environment to prevent it from running malicious code. Modify  the permissions so only administrators can modify the script. Have this task run on the hour.

# PowerShell Command to use code signing certificate to sign a script

Set-AuthenticodeSignature C:\Users\Public\Documents\Import-EventsHourly.ps1 @(Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0]

1. Open Task Scheduler (taskschd.msc) and import the task from TaskForSQLQueryEventsMonitor.xml that runs once a day. This is done to execute SQL-Query-Suspicous-Events.ps1. This is the script that alerts you when a suspicious event has been discovered.
2. Edit the file SQL-Query-Suspicous-Events.ps1 so the  email variables are set to match your environment. Some of the SQL queries will also need to be modified in order to add accounts that commonly receive special permissions such as accounts that are used for LDAP binds or domain controllers system accounts (Example: DC01$). Or don't use any special filtering. Whatever floats your boat. The SQL queries only return events from the  last hour. This is significantly faster than filtering the Windows Event  log through XML which also will eventually delete logs to make room for  newer logs. 

Once run, the script returns event information on the below possible indications of compromise from all those devices forwarding events.

• Were any Event Logs Cleared?
• Was a new Local or Domain User created anywhere (Excluding WDAGUtilityAccount)?
• Was a user added to a high privileged security group (Administrators,  Domain Admins, Schema Admins, Enterprise Admins, Print Operators, Server  Operators, Backup Operators)?
• Was a user removed from a high privileged security group (Possible covering tracks)?
• Were any new services run/created?
• Were any accounts locked out?
• Were any accounts unlocked?
• Were any special privileges assigned outside the norm (Normal accounts: admin, dnsdynamic?)
• Were any replay attack attempts detected?

To ensure the correct permissions are set on the Windows Event Log  Source Collector issue the below commands (on the Windows Event  Forwarding Collection Server). Open an Administrator PowerShell or Command Prompt session (Windows Key + X, A). Then execute the below commands:

netsh http delete urlacl url=http://+:5985/wsman/ 

netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

netsh http delete urlacl url=https://+:5986/wsman/

netsh http add urlacl url=https://+:5986/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

So What Now?

If you are having troubles with some Desktops and Servers that are not connecting to the source collector then push out the WEFStartupScript.ps1 through Group Policy by making it a startup script. This startup script will run the WinRM service as it's own parent process which frees up it's usage for WEF. When the script gets triggered it performs a search on all collected targeted events for the last 1 hour and 5 minutes only. You can change this in the task and/or SQL Query script. The results will not always mean compromise but they will definitely help to discover them when they happen. (Microsoft says the max limit of machines to source collect events from is 2,000 to 4,000). 

REFERENCE: https://support.microsoft.com/en-gb/help/4494356/best-practice-eventlog-forwarding-performance

• https://blog.netnerds.net/2013/03/importing-windows-forwarded-events-into-sql-server-using-powershell/
• https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem
• https://support.microsoft.com/en-us/help/4494462/events-not-forwarded-if-the-collector-runs-windows-server
• https://serverfault.com/questions/769282/windows-event-log-forwarding-permission