Skip to content

Automation scripts to deploy Windows Event Forwarding, Sysmon, and custom audit policies in an Active Directory environment.

License

Notifications You must be signed in to change notification settings

blackhillsinfosec/EventLogging

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

BHIS

EventLogging

This repo contains guidance on setting up event logging. This guidance is broken up into sections, Defensive Readiness Condition (DEFCON), and intended to be applied from 5 (lowest) to 1 (highest).

Readiness State Description Readiness Condition Features
DEFCON 1 Breach imminent or occurred Forensic imaging; Blocking techinques/tools (Server, Workstation, and Network)
DEFCON 2 Enhanced Measures Event Forwarding (Workstation); Threat Hunting
DEFCON 3 Heightened Measures Event Forwarding (Member Servers/apps); Network Device logging; Sysmon/EDR
DEFCON 4 Increased Security Measures Audit policies; Event Forwarding (Domain Controllers); Network Monitoring; Centralized logs
DEFCON 5 Default Configurations Vanilla OS/App/Device logging; No centralized logs

Initial work on this project will be focused on Windows.


Assumptions:

Active Directory

  • Microsoft Active Directory is being used

PowerShell

  • PowerShell 5 is being used

Windows Event Collector

  • A Windows Server running Windows Event Collector (WEC) services can be reached by all logged Windows endpoints.

Deployment:

The scripts are designed to be run DEFCON 4 first followed by DEFCON 3 and then DEFCON 2. Each DEFCON has a script for making changes on a DC these scripts add extra functionality and increase visibility in your deployment. You should review these scripts carefully before running them as some of the changes are difficult to revert once made. DEFCON 3 also contains a script for installing Sysmon for Windows. This script should be run from the DC as it will import a GPO used for deployment.

Before deployment, you will need to determine how many WECs you will require and their FQDN Hostname. These hosts should be configured as base Windows Server machines with all of the current updates Windows Server 2016 or higher is recommended. You will then convert the server into a WEC via the WEC-Configurator.ps1 script found in DEFCON4.

Change the following files before running the scripts.

Once the files have been edited you can run the scripts on the respective host. The DC scripts will import GPOs. These GPOs must still be linked to the correct OU for the system to work. Suggested GPO links are below.


Video Webcast


Community Contributions

  • palantir windows-event-forwarding | GitHub
  • olafhartong sysmon-modular | GitHub

License

GNUv3 - License

About

Automation scripts to deploy Windows Event Forwarding, Sysmon, and custom audit policies in an Active Directory environment.

Topics

Resources

License

Stars

Watchers

Forks