Threat Hunting with Windows Event Forwarding & MITRE ATT&CK Framework In this talk, you will gain an overview of using Windows Event Forwarding (WEF) for incident detection, with configuration and management workflows guidance. The talk will also provide an introduction to the MITRE ATT&CK Framework.

1. Threat Hunting with Windows Event
Forwarding & MITRE ATT&CK Framework
Gurvinder Singh (whoami)
• He/him/his
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• GIAC Web Application Penetration Tester (GWAPT) – SANS
• Non-profit boards of Panjab Digital Library and Loudoun Interfaith Bridges
@gurvindersinghb
linkedin.com/in/gurvindersinghb/

2. Disclaimer
The information presented in the talk is for information purposes
and should not be construed as legal advice.
The views and opinions expressed in this talk are those of the
presenter and do not necessarily reflect the official policy or
position of APA or ISACA.

3. Topics
• Threat Hunt Challenges
• Threat Hunt Prerequisites
• Native Windows Event Forwarding
• Windows Event Forwarding Architecture
• Sources of Threat Hunt Event Logs
• MITRE ATT&CK™ framework
• Threat Hunt Resources

4. Threat Hunting using Native Windows tools
• Framework for Detecting current AD attack methods used by red teams
for penetration testing including Lateral Movement
• Microsoft Security
• Secure Event Forwarding Guidance from Information Assurance
Directorate at the NSA
• Australian Cyber Security Centre (ACSC) Technical Guidance
• Japanese JPCERT/CC CSIRT (Computer Security Incident Response Team) -
Detecting Lateral Movement through Tracking Event Logs (Version 2)

5. Threat Hunt Challenges
• A large number of hosts
• Verbose Logs required for investigation may not be present or not
configured
• Small Security Budget
• Rise in cyber crime - specialized cybercrime offerings and increased
nation-state attacks

6. Threat Hunt Prerequisites • SANS Top 20 CIS Critical Security Controls – 1-4
and 19
# 1 – Inventory of Authorized and
Unauthorized Devices
# 2 - Inventory of Authorized and
Unauthorized Software
# 3 – Secure Configurations for Hardware and
Software
# 4 – Continuous Vulnerability and Assessment
Do you know all your assets with live IP on
your network?
• # 19- Incident Response and Management
Understand how your organization will
respond to a breach.
Create an ‘Incident Response plan’

8. Native Windows Event Forwarding Architecture
Event Collector 1
Subscription
Subscription
Subscription
Subscription
Subscription
EVENT LOGS
EVENT LOGS
EVENT LOGS
SERVERS
WORKSTATIONS
LAPTOPS
Authentication
Process Creation
Full Event Logs
WEF is agent-less, relies on native components integrated into the operating system and uses
Window Remote Management (WinRM).
WEF is supported for both workstation and server builds of Windows.

9. Windows Event Forwarding Multiple Collectors Architecture
Event Collector 1
Subscription
Subscription
Subscription
Subscription
Subscription
Event Collector 2
EVENT LOGS
EVENT LOGS
EVENT LOGS
SERVERS
WORKSTATIONS
LAPTOPS
Pull
Push
WEF does not replace a SIEM – a lightweight event collection framework

10. Subscriptions

11. Forwarded Events Logs

12. Group Policy for
Event Collection

13. Group Policy for Windows Event Collection
• Configure Event Collector server(s).
• Assign read permission to read event logs so they can forwarded to
the Windows Event Collector server.
https://docs.microsoft.com/en-us/windows/security/threat-
protection/use-windows-event-forwarding-to-assist-in-intrusion-
detection

14. Collector Server
Computer>Policies>Admin Templates>Windows Components>Event
Forwarding>Configure target subscription manager
This will need to be populated with the address of your collector server in this
format :
Server=http://fqdnofsubscriptionserver:5985/wsman/SubscriptionM
anager/WEC,Refresh=60
• The refresh interval on the end indicates how often clients should check in
to see if new subscriptions are there for them. 60 seconds might be a bit
aggressive in production, but it helps out a lot when you're setting things up
and testing. Production can be 5 min or 300 seconds.

15. Network Service - Read Permissions on Event
Logs
Option 1 (Required for DCs): Computer Configuration -> Policies ->
Windows Settings -> Security Settings -> Restricted Groups to the following:
BUILTINEvent Log Readers: NT AUTHORITYNETWORK SERVICE
Option 2: Computer>Policies>Admin Templates>Windows
Components>Event Log Service>Security> Configure log access
O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-
573)(A;;0x1;;;NS)

16. Which Events to Log for the
Threat Hunt?

17. Sources of Threat Hunt Event Logs
• Microsoft Audit Policy
• Microsoft PowerShell
• Microsoft System Monitor (Sysmon)

18. Use Windows Event Forwarding to help with
intrusion detection
Collect events in both normal operations and when an intrusion is
suspected.
Create two base subscriptions:
• Baseline WEF subscription. Events collected from all hosts, this
includes some role-specific events, which will only be sent by those
machines.
• Targeted WEF subscription. Events collected from a limited set of
hosts due to unusual activity and/or heightened awareness for those
systems.
https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-
event-forwarding-to-assist-in-intrusion-detection

19. Appendix A - Minimum recommended minimum audit policy
The policy below is the minimum audit policy settings needed to enable events collected by both baseline and targeted subscriptions.
https://docs.microsoft.com/en-us/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
Category Subcategory Audit settings
Account Logon Credential Validation Success and Failure
Account Management
Security Group
Management
Success
Account Management
User Account
Management
Success and Failure
Account Management
Computer Account
Management
Success and Failure
Account Management
Other Account
Management Events
Success and Failure
Detailed Tracking Process Creation Success
Detailed Tracking Process Termination Success

20. Reduce Noise Windows Events
Exclude high volume and low value events (4674)
• Privilege use, Non Sensitive Privilege Use
If using Sysmon exclude Detailed Process Tracking Events
• 4688 - Detailed Tracking, Process Creation
• 4689 - Detailed Tracking, Process Termination
https://conf.splunk.com/files/2017/slides/effectively-enhancing-our-soc-with-sysmon-powershell-logging-and-
machine-learning-to-detect-and-respond-to-todays-threats.pdf

21. PowerShell Logs
• Windows PowerShell 2.0 and later for logs.
• Windows PowerShell 5.1 logging improvements for in-memory
attacks using Windows PowerShell.

22. Sysmon for deeper visibility
• System Monitor (Sysmon) is a Windows system service and device
driver that, once installed on a system, remains resident across
system reboots to monitor and log system activity to the Windows
event log.
• It provides detailed information about process creations, network
connections, and changes to file creation time.

23. Sysmon for deeper visibility
Sysmon Event IDs
Event ID 1: Process creation Event ID 12: RegistryEvent (Object create and delete)
Event ID 2: A process changed a file creation time Event ID 13: RegistryEvent (Value Set)
Event ID 3: Network connection Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 4: Sysmon service state changed Event ID 15: FileCreateStreamHash
Event ID 5: Process terminated Event ID 17: PipeEvent (Pipe Created)
Event ID 6: Driver loaded Event ID 18: PipeEvent (Pipe Connected)
Event ID 7: Image loaded Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 8: CreateRemoteThread Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 9: RawAccessRead Event ID 21: WmiEvent (WmiEventConsumerToFilter activity
detected)
Event ID 10: ProcessAccess Event ID 255: Error
Event ID 11: FileCreate

24. Lateral Move Penetration Test Event Logged
Powershell Command
Sysmon Log

25. MITRE ATT&CK Framework – playbook of attacks
MITRE is a non-profit organization that manages federally funded research & development centers.
ATT&CK is an acronym for Adversarial Tactics, Techniques and Common Knowledge.
A useful tool for measuring and understanding your visibility and gaps.
ATT&CK by itself is not intended to be a checkbox for risk assessment.
Covers Windows, macOS, Linux, PRE, Azure AD, Office 365, Google Workspace, SaaS, IaaS, Networks, and
Containers.
https://attack.mitre.org/

26. MITRE ATT&CK Framework
Initial
Access
Credential
Access
Persistence
Impact
Defense
Evasion
Collection
Data Theft
• Reconnaissance
• Resource Development
• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Command and Control
• Exfiltration or Data Theft
• Impact & Cleanup

27. Getting Started with ATT&CK
Tune
Defenses
Prioritize
Gaps
Assess
Coverage
Start small: select a single technique to focus on, determine your coverage for that technique, and
then make the appropriate engineering enhancements to start detecting it.
Pick One
Technique

28. Technique T1543 Create or Modify System Process
https://attack.mitre.org/techniques/T1543/
T1543
Create / Modify System Process
T1543.001
MacOS - Launch Agent
T1543.002
Linux - Systemd
Service
T1543.003 Windows
Service
Process Process creation
Sysmon 1
Process Creation
Security Audit 4688
A new process has
been created
Windows Registry
Win registry key value
modification
Security Audit 4657
A registry value was
modified
Win registry creation
Sysmon 12
RegistryEvent (Object
create and delete)
Service Service creation
Security Audit 4697
System 7045
T1543.004
MacOS - Launch
Daemon
References:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/appendix-a-security-monitoring-
recommendations-for-many-audit-events

29. MITRE ATT&CK Framework
ctid.mitre-engenuity.org
• Security Stack Mappings – Amazon Web Services
• Security Stack Mappings – Google Cloud Platform
• Security Stack Mappings – Azure
• Other technology platforms
Project Summary - https://github.com/center-for-threat-informed-
defense/security-stack-mappings
This project empowers defenders with independent data on which native
security controls of leading technology platforms are most useful
in defending against the adversary TTPs they care about.

30. Sysmon detection with ATT&CK™ framework by Olaf Hartong
https://github.com/olafhartong/sysmon-modular

31. Sysmon detection with ATT&CK™ framework by Olaf Hartong

32. Threat Hunt Resources
• MITRE ATT&CK - https://attack.mitre.org
ATT&CK -Adversarial Tactics, Techniques, and Common Knowledge
• JPCERT (Japan Computer Emergency Response Team)
Detecting Lateral Movement through Tracking Event Logs (Version 2)
https://blog.jpcert.or.jp/2017/12/research-report-released-detecting-lateral-
movement-through-tracking-event-logs-version-2.html
• Microsoft Windows Event Forwarding to help with intrusion detection
(Appendix A - Minimum recommended minimum audit policy)
• Event Forwarding Guidance from IADGOV https://github.com/nsacyber/Event-
Forwarding-Guidance

33. Threat Hunt Resources
• Ready to hunt? First, Show me your data!
• Download Security Audit Events for Windows (Spreadsheet)
• Advanced Security Audit Policy Settings
• Monitoring Active Directory for Signs of Compromise
• Audit Policy Recommendations
• Use Windows Event Forwarding to help with intrusion detection
• Minimum recommended minimum audit policy
• Windows ITPro Docs - Threat Protection

34. Takeaway

35. Questions?