XPATH should be
*[System[(EventID=865 or EventID=866 or EventID=867 or EventID=868 or EventID=882)]]

Not
*[Application[Provider[@name='Microsoft-Windows-SoftwareRestrictionPolicies'] and (EventID=865 or EventID=866 or EventID=867 or EventID=868 or EventID=882)]]

The following line of AutorunsToWinEventLog/Install.ps1 fails, due to live.sysinternals.com being hosted over HTTP and not HTTPS:

Invoke-WebRequest -Uri "https://live.sysinternals.com/autorunsc64.exe" -OutFile "$autorunsPath"

Fix should be as simple as changing the URI to http:// instead of https://.

Create subscriptions and WEF channel for office alerts.

Add WEF subscription for Duo operational and debug logs.

I'm noticing some character encoding (or otherwise corrupted) issues with the Account-Management.xml file.
For example... <Select Path="Security">*[System[(EventID &gt;=4780 and EventID &lt;=4782)]]</Select>
Should be ... <Select Path="Security">*[System[(EventID >=4780 and EventID <=4782)]]</Select>

I've just started looking into this repository, so not sure if it occurs elsewhere.

This has been a great help getting started with WEF though - thanks!

The MD for the Event Channels says: The Event Channel manifest provided in this project consists of 16 individual providers, each with 7 channels. Channels follow a standard naming scheme of WEC[#], where the number is related to the provider.

But if i look into it, there are only Channels for WEC to WEC7 + WEC16. WEC8 to WEC15 doesn't have Channels.
I think I can use it to generate my own Channels, but it would be helpfull to have some more information about it in the MD File.

1. A hint that not all providers have channels, but the providers are there to add more channels, would make sense in my opinion.
2. Additional / more detailed information about how to customize and what to pay attention to would also be helpful. (I am exactly working on this. Maybe I can provide a suggestion for the customization.)

May want to included EventID 4648 in Authentication subscription, per V-43712, which is in Active Directory Domain Security STIG

Sorry - Never mind... it's covered in Explicit-Credentials subscription

Add WEF subscription for Active Directory Federated Services operational and debug logs.

Have you implemented this on a currently patched 2016 server Collector? Seems custom channel manifests import successfully, but changing a working subscription from Forwarded Events over to a custom channel and the events just don't write to the custom channel. EventCollector log is also silent. Permissions on the log files and channelAccess are identical.

https://github.com/palantir/windows-event-forwarding/blob/master/AutorunsToWinEventLog/AutorunsToWinEventLog.ps1#L20

Specifically slide 14 and 15: https://github.com/huntresslabs/evading-autoruns/blob/master/Evading_Autoruns_Slides.pdf

First off - thank you for putting together this repository. It's helped me out a lot.

I'm working on setting up a WEC servers that will receive logs (Application, System, Security, Sysmon,) from 2,000+ workstations and 500+ servers.

I was thinking about the following:

Do you think this setup would be able to support the number of hosts sending events to the WEC server?

Thank you for your help!

Hi team,

Thanks for the work on this. Just FYI, we noticed that this actually means that UAC logins (in the form of 4624 events) don't get forwarded. We decided to change this as often analysts might just search for 4624 events to see where an account has been used (noting that's not ideal). So we flipped this suppress rule so all 4624s are collected regardless of SID. It does increase the volume a bit, but we think it's worth it.

Might be worth placing a comment up the top of the subscription policy (it took us a while to find) if you are intending to leave it as is.

Thanks!

Hello,
First and again - thanks for all the great work yall have put into this!

I'm noticing that the SDDL for the AllowedSourceDomainComputers param is the same for all of the subscriptions: O:NSG:NSD:(A;;GA;;;DC)(A;;GA;;;NS)(A;;GA;;;DD)

Is that the intent? It seems some subscriptions are only applicable to Domain Controllers, and others are Server or Workstation specific.

Thanks!

Hello, thank you for your base files, excellent.

After i update a subscription XML file, and try to update the subscription using wecutil ss .\filename.xml, i receive the following error.

Failed to open subscription. Error = 0x57.

Any clues?

Hi,
I would like to suggest the following modification on all subscriptions regarding event size and WEC server performance. The change consists in switching the subscription from "rendered" mode to "events" mode.

Direct impact of this change will be to not collect the "Message" text included on each event, reducing the CPU load on the collector. Indead, the Message, when forwarded, is usually not very important as most of the information is included in the XML. And for subscriptions like Kerberos or Authentication, this can really decrease the performance impact on the server.

For switching a subscription to this "optimized" mode:
wecutil ss <subscription_name> /cf:events

For changing this parameter inside the XML:
<ContentFormat>Events</ContentFormat>

Please let me know if this make sense for you so I will make a pull request.

Hi,
can you please explain why you´ve created DUMMY_EVENT and DUMMY_TEMPLATE in custom channels? I just can´t figure out whether it is important or not.

Thank you

Tom

Create sysmon subscriptions and event channel. Include new events added in sysmon 6.1.

Hello,
We are encountring a strange behavior on a Windows 2012 Event Collector.
This server use > 8vCPU and 20GB RAM, monitoring it does not show specific usage peaks.
NXLog is used to fetch logs and send them to a SIEM.

We are using parts of the wef-subscriptions (~40) on +4000 workstations. (customized to filter at Source).

For some (unknown) reasons the Event Collector stops "working" randomly after sometimes 2 days, 3 days , 7 days... By stops working i mean, the service is still running but no events are coming in the forwarded events...

Regarding deployed subscriptions, the only modifications we performed were:

• Everything in ForwardedEvents
• ~40 subscriptions
• MaxItems set to 25 or 50 (depending on some subscripitons)
  25000
  
  We also tried to perform some customozation recommended in:
  "Windows™ Event Forwarding (WEF) into ArcSight at Scale"

We tried to correlate this issue with user activities but it does not seem to have any link, last stops to send log at 6 in the morning...

The analysis we performed shown the following behavior;

• The Subscription URL become suddenly inaccessible (404) and generate 2150859027 on client side.
• BUT WinRM and WSMan are still accessible from the client to the collector (tested with Winrm & Test-WSMan)
• The usage of the wecutil command (wecutil es/gs/gr) are not possible (process never ends)
• A deeper analysis using ProcessExplorer shown that all wecsvc.exe process threads are in a "Lock"/Waiting status with 0% CPU and 0% RAM used.

Sometimes we are able to restart the service, sometimes we need to kill it before restarting.

I have multiple questions on this:

• Your configs use MaxItems set to 1, are we agreeed that performances should be better by buffering a little bit (as we are doing by setting 25 or 50) ?

• The pro of multiple subscriptions is also to have the capacity to manage ACL separately but it also create 4000*40 registry keys to maintain states in the registry, could this have any impact ?

• On the fact to have 40 dedicated subscriptions, can't this have any impact on parallel network connections from source initated ? (i mean opening 40 parallel tcp sockets instead of 1 only x 4000 ?)

This is a very interesting topic as large environment deplyment, tunning and troubleshooting are not well (not to say not at all) documented by MS...

Any feedbacks, ideas, and answers on this issue would be more than appreciated and i assume help the community !!!

Kind regards,

My WEC is installed on Server 2016, for reference.

Problem:

Without the IPv6 Filter enabled on this GPO

Computer Configuration -> Administrative Templates -> Windows Components -> Windows Remote Management (WinRM)/WinRM Service:
Allow Remote Server Management through WinRM: Enabled
IPV4 filter: *

The Windows Event Collector won't forward events to itself. You will see event ID 105 in the event channel Microsoft-Windows-Eventlog-ForwardingPlugin/Operational with the message:

The forwarder is having a problem communicating with subscription manager at address http://<server name>:5985/wsman/SubscriptionManager/WEC. Error code is 2150859027 and Error Message is The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol.

Cause:

This is due to the fact that when a Windows machine looks itself up local DNS records are used (instead of your DNS server records) which returns the IPv6 address ::1 for localhost. This is still true even when IPv6 networking is disabled.

You can ping your WEC FQDN from the localhost and see:
Reply from ::1: time<1ms

Then run winrm e winrm/config/listener and see:

Listener
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 192.168.100.100

WinRM isn't listening on an IPv6 interface.

Solution:

Enable the IPv6 filter in the previously mentioned GPO.

Add WEF subscription for TPM-WMI (EventID 1794)

Re: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170012

Hi,

Do you recommend using Domain Controllers as windows event log collector servers?

I have implemented the WEF using your guide and its great! However we do not have a spare server to be used as a collector server. Can I use the Domain Controller as centralised logging point?

I am planning to forward Microsoft-Windows-Sysmon/Operational logs from ~1500 endpoints.
Please let know, your help is much appreciated! Thank you

Add WEF Subscription for Exploit Guard ASR.

EventIDs:

• 5007 | Event when settings are changed
• 1122 | Event when rule fires in Audit-mode
• 1121 | Event when rule fires in Block-mode

Reference: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard

Include 4 new WEF subscriptions for Exploit Guard:

• Exploit protection
• Network protection
• Controlled folder access
• Attack surface reduction

Reference: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard

We are working to implementing Autoruns to Event Viewer and we are seeing Sha256 and PESHA256 hashes wrapping to a new field in the Event Log Like shown. As a result Splunk sees these as new fields. Any ideas on why this is happening or to prevent it?

Time : 5/20/2017 8:45 AM
Entry Location : HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar
Entry : PXCIEaddin6
Enabled : enabled
Category : Internet Explorer
Profile : System-wide
Description : HTML to PDF Converter IE plugin (V6)
Signer : (Verified) Tracker Software Products (Canada) Ltd
Company : Tracker Software Products (Canada) Ltd.
Image Path : c:\program files\tracker software\pdf-xchange
6\pxcieaddin6.dll
Version : 6.0.322.4
Launch String : HKCR\CLSID{42DFA04F-0F16-418e-B80C-AB97A5AFAD3A}
MD5 : E685B5B6DAF436F0F478CC53400CCFE6
SHA-1 : 2760AE0DC2310B15B0EB2FB8857FB4906690981D
PESHA-1 : AB4F6A5DDC84C86F7728DA9A9F899F391F9F226F
PESHA-256 : 2653BAA13DA152435F928F7F2A7FA9AD61460B528C01A02F24D75869852522
C0
SHA-256 : BA7B4379FC57846339771AAB8586750B98CF46F5F6CF4671F51EC7FD919F6E
58
IMP : B24E0B13376B276CD4B317E5369AAD95

Add WEF subscription for Device Guard operational logs.