This REPO contains all the files needed for using Windows Event Forwarding to monitor an environment for intruders. This assumes that you have referenced the Windows Event Logging Cheat Sheet for logging in your environment. Use LOG-MD or CIS-CAT to ensure the recommended logging is configured. You will also need to configure WinRM in your environment. This can be done by following the instructions at the WinRM over HTTPS page on this site.
General steps to set up this package.
CONFIGURE (This should be configured in your environment)
DOWNLOAD & INSTALL (These need to be installed on the centralized WEF collection server)
SIDE NOTE 1: It is considered best practice to have the SQL server installed on a separate device than the one hosting the application. I did not abide by this here. As long as there are not any SQL Injections and least privilege permissions are applied to accounts that can access the SQL database, this should not be a concern.
SIDE NOTE 2: It is also best practice to have a development server that pushes out web application builds to the production server. I do not know what resources or extras may be available to a company. As such I am treating this to be as bare minimum as possible. These are subjects that can be learned in other areas of the web. I am just showing you how to set up this security package and need to draw the line somewhere. Feel free to use my instructions and then uninstall Visual Studio from the server when you are done with setup.
Now that WinRM over HTTPS is configured and the Group Policy Settings have been applied using instructions from the previous page we can being setting up the configuration of the source collector. If you have not done this yet that is not a big deal as it should not matter what order these tasks are carried out.
In order to use the DomainComputers.xml and DomainControllers.xml config files in Windows Event Forwarding the below commands must be issued in an Administrator Command Prompt. Place the files DomainComputers.xml and DomainControllers.xml in the directory C:\Users\Public\Documents. Then open a Command Prompt or PowerShell window as an Administrator. This can be done with the key combo Windows Key + X, A
wecutil cs C:\Users\Public\Documents\DomainComputers.xml
wecutil cs C:\Users\Public\Documents\DomainControllers.xml
Create the SQL database schema and table.
The below two steps can be accomplished by executing the "ImportTheScheduledTasks.ps1". I have this automatically search for the XML files that need to be imported into Task Scheduler. Long as you do not rename the files in this repository this should go off without a hitch.
USER YOU SELECT: The above script will prompt you for a username to use in the Task Schedulers execution of alerting and import files. The user you define will need to have been configured to have "Log on as batch job" permissions and "Log on as service" permissions. This is done through Group Policy at "Computer Configuration > Windows Settings > Security Settings > User Rights Assignment" Both of the mentioned settings will be in this GPO location.
SQL USER PERMISSIONS: Once this is done you will need to assign this user with "Log on as batch job" permissions to have read and write access to the SQL database. Do this by opening SSMS and signing into the default instance. In the "Object Explorer Window" on the left hand side you will need to expand the Databases tree, expand the Security Tree, expand the Users tree. The right click on User and select Add User if the name is not there. Add the user with "Log on as batch" permissions. Right click on the newly added user who is now existing in the expanded User tree. Assign the user db_datareader and db_datawriter permissions.
SKIP: You can skip to Step 5 if you have imported the tasks by executing "ImportTheScheduledTasks.ps1"
Create the Scheduled Task to Import Events into SQL Database
Below is the PowerShell Command to use code signing certificates to sign a script.
Set-AuthenticodeSignature C:\Users\Public\Documents\Import-EventsHourly.ps1 @(Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0]
Create Monitoring and Alert Task
# PowerShell Command to use code signing certificate to sign a script
Set-AuthenticodeSignature C:\Users\Public\Documents\Import-EventsHourly.ps1 @(Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert)[0]
Once run, the script returns event information on the below possible indications of compromise from all those devices forwarding events.
To ensure the correct permissions are set on the Windows Event Log Source Collector issue the below commands (on the Windows Event Forwarding Collection Server). Open an Administrator PowerShell or Command Prompt session (Windows Key + X, A). Then execute the below commands:
netsh http delete urlacl url=http://+:5985/wsman/
netsh http add urlacl url=http://+:5985/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
netsh http delete urlacl url=https://+:5986/wsman/
netsh http add urlacl url=https://+:5986/wsman/ sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
So What Now?
If you are having troubles with some Desktops and Servers that are not connecting to the source collector then push out the WEFStartupScript.ps1 through Group Policy by making it a startup script. This startup script will run the WinRM service as it's own parent process which frees up it's usage for WEF. When the script gets triggered it performs a search on all collected targeted events for the last 1 hour and 5 minutes only. You can change this in the task and/or SQL Query script. The results will not always mean compromise but they will definitely help to discover them when they happen. (Microsoft says the max limit of machines to source collect events from is 2,000 to 4,000).
REFERENCE: https://support.microsoft.com/en-gb/help/4494356/best-practice-eventlog-forwarding-performance
Copyright © 2020 OsbornePro - All Rights Reserved.
Questions or Comments: rosborne@osbornepro.com