Threat Hunting with Windows Event Forwarding

Windows Event Forwarding (WEF) is a way you can get event logs from Windows computers and collect them on Windows Event Collector (WEC) servers. In this Threat Hunting with Windows Event Forwarding course, you will use WEF for incident detection with step-by-step instructions for configuration and management workflows.

Time
1 hour 21 minutes
Difficulty
Beginner
4.5
Share
NEED TO TRAIN YOUR TEAM? LEARN MORE
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course Description

In this course we will learn about Windows Event Forwarding. Not many people are aware of it and take advantage of this built-in native tool. Windows Event Forwarding (WEF) is a way you can get any or all event logs from Windows computers and collect them on one or more Windows Event Collector (WEC) servers.

We will provide a framework for detecting current Active Directory attack methods used by red teams for penetration testing including Lateral Movement and best practices from across the globe. The default configuration of windows does not track events required for investigation of incidents. In this course, we will provide configurations to allow you to setup verbose logging to detect suspicious events.

Prerequisites:

Understand and configure Active Directory Group Policies. Need to be familiar with Windows event logs. Need one or more Windows servers for event collection.

Course Goals:

By the end of the course, students should be able to:

  • Configure Windows Event Logging to capture malicious activity like Lateral Movement
  • Collect events from Windows servers and workstations using Windows Event Collector (WEC)
  • Use a threat detection framework from MITRE to perform hunt for malicious activity like Lateral Movement