Threat Hunting with Windows Event Forwarding

Name: Threat Hunting with Windows Event Forwarding
Rating: 4.5 (12 reviews)

Windows Event Forwarding (WEF) is a way you can get event logs from Windows computers and collect them on Windows Event Collector (WEC) servers. In this Threat Hunting with Windows Event Forwarding course, you will use WEF for incident detection with step-by-step instructions for configuration and management workflows.

Time

1 hour 21 minutes

Difficulty

Beginner

CEU/CPE

4.5

NEED TO TRAIN YOUR TEAM? LEARN MORE

Join over 3 million cybersecurity professionals advancing their career

Required fields are marked with an *

View all SSO options

Already have an account? Sign In »

Course Content

Module 1: What is Windows Event Forwarding?

1.1 Introduction

FREE

1.2 Native Windows Event Forwarding

FREE

Module 2: Prerequisites for Setting up Windows Event Forwarding

2.1Group Policy for Event Collection

FREE

2.2Microsoft System Monitor (SysMon)

2.3Which Events to log for the Threat Hunt Part 1

2.4Which Events to log for the Threat Hunt Part 2

Module 3: Configure Windows Event Collector (WEC)

3.1Configure Windows Event Collector (WEC) Part 1

3.2Configure Windows Event Collector (WEC) Part 2

3.3Scaling and Performance of Windows Event Collection

Module 4: MITRE ATT&CK

4.1MITRE ATT&CK Framework

Module 5: Lateral Movement Case Study

5.1Lateral Movement as a Case Study

Course Description

In this course we will learn about Windows Event Forwarding. Not many people are aware of it and take advantage of this built-in native tool. Windows Event Forwarding (WEF) is a way you can get any or all event logs from Windows computers and collect them on one or more Windows Event Collector (WEC) servers.

We will provide a framework for detecting current Active Directory attack methods used by red teams for penetration testing including Lateral Movement and best practices from across the globe. The default configuration of windows does not track events required for investigation of incidents. In this course, we will provide configurations to allow you to setup verbose logging to detect suspicious events.

Prerequisites:

Understand and configure Active Directory Group Policies. Need to be familiar with Windows event logs. Need one or more Windows servers for event collection.

Course Goals:

By the end of the course, students should be able to:

Configure Windows Event Logging to capture malicious activity like Lateral Movement
Collect events from Windows servers and workstations using Windows Event Collector (WEC)
Use a threat detection framework from MITRE to perform hunt for malicious activity like Lateral Movement

Instructed By