Free

Threat Hunting with Windows Event Forwarding

Windows Event Forwarding (WEF) is a way you can get event logs from Windows computers and collect them on Windows Event Collector (WEC) servers. In this Threat Hunting with Windows Event Forwarding course, you will use WEF for incident detection with step-by-step instructions for configuration and management workflows.
1
21
M
Time
beginner
difficulty
2
ceu/cpe

Course Content

5.1 Lateral Movement as a Case Study

7m

Module 5: Lateral Movement Case Study
1.1 Introduction

7m

Module 1: What is Windows Event Forwarding?
2.1 Group Policy for Event Collection

8m

Module 2: Prerequisites for Setting up Windows Event Forwarding
3.1 Configure Windows Event Collector (WEC) Part 1

4m

Module 3: Configure Windows Event Collector (WEC)
4.1 MITRE ATT&CK Framework

9m

Module 4: MITRE ATT&CK
1.2 Native Windows Event Forwarding

5m

Module 1: What is Windows Event Forwarding?
2.2 Microsoft System Monitor (SysMon)

10m

Module 2: Prerequisites for Setting up Windows Event Forwarding
3.2 Configure Windows Event Collector (WEC) Part 2

8m

Module 3: Configure Windows Event Collector (WEC)
2.3 Which Events to log for the Threat Hunt Part 1

7m

Module 2: Prerequisites for Setting up Windows Event Forwarding
3.3 Scaling and Performance of Windows Event Collection

8m

Module 3: Configure Windows Event Collector (WEC)
2.4 Which Events to log for the Threat Hunt Part 2

8m

Module 2: Prerequisites for Setting up Windows Event Forwarding
Course Description

In this course we will learn about Windows Event Forwarding. Not many people are aware of it and take advantage of this built-in native tool. Windows Event Forwarding (WEF) is a way you can get any or all event logs from Windows computers and collect them on one or more Windows Event Collector (WEC) servers.

We will provide a framework for detecting current Active Directory attack methods used by red teams for penetration testing including Lateral Movement and best practices from across the globe. The default configuration of windows does not track events required for investigation of incidents. In this course, we will provide configurations to allow you to setup verbose logging to detect suspicious events.

Prerequisites:

Understand and configure Active Directory Group Policies. Need to be familiar with Windows event logs. Need one or more Windows servers for event collection.

Course Goals:

By the end of the course, students should be able to:

  • Configure Windows Event Logging to capture malicious activity like Lateral Movement
  • Collect events from Windows servers and workstations using Windows Event Collector (WEC)
  • Use a threat detection framework from MITRE to perform hunt for malicious activity like Lateral Movement

    This course is part of a Career Path:
    No items found.

    Instructed by

    Instructor
    Gurvinder Singh

    My whole life, I’ve had a strong reverence for and connection with nature. It makes me feel alive and reminds me of the purpose of life. This relationship with the earth led me to hone my photography skills, so that I could better capture the beauty around us that moves me on a daily basis. After having my twins, a beautiful son and adorable daughter who are now seven, this passion became even stronger. My children prefer to be outdoors rather than inside, and this is my deepest and most ongoing source of inspiration.

    My amazingly supportive wife and I also take a philanthropic stance when it comes to our children — for their birthday, we request donations to a local food bank instead of gifts. This is a reflection on the concept of Seva, which means “selfless service.” It’s part of our Sikh faith, which guides us as we seek to honor nature and others. In addition to photography and art, I also work as a cyber security expert and help people protect themselves from cyber criminals.

    Provider
    Cybrary Logo
    Certification Body
    Certificate of Completion

    Complete this entire course to earn a Threat Hunting with Windows Event Forwarding Certificate of Completion