# Windows Event Fowarder

## SUMMARY

This shows the process of how to create custom **`.evtx`** log files using **`ecmangen.exe`** and other utilities present in the [**Windows Development Kit**](https://go.microsoft.com/fwlink/p/?LinkId=838916). The log file(s) created could be used as a destination log for forwarded events.

## **ENVIRONMENT:**

#### MACHINES:

| HOSTNAME        | MACHINE IP      | OS                               | REMARKS           |
| --------------- | --------------- | -------------------------------- | ----------------- |
| MSEDGEWIN10     | 192.168.150.128 | Windows 10 Enterprise Evaluation | Source Machine    |
| WIN-BO2CT95INDP | 192.168.150.133 | Windows Server 2016              | Collector Machine |

* The FQDN for WIN-BO2CT95INDP is **win-bo2ct95indp.bossmanben.local**

## **ASSUMPTIONS:**

#### 1.  The Source Machine (MSEDGEWIN10) is part of a Domain Controller (WIN-BO2CT95INDP).

#### 2. This guide uses ***Security Logs*** as an example.

#### 3. The steps below will create a subscription that collects ***Security logs*** from the **Source Machine** (MSEDGEWIN10).

## **PROCEDURE:**

### **1. Start the WinRM service**

1. Open **PowerShell** on the Source Machine (MSEDGEWIN10):

   ```
   winrm quickconfig
   ```

   Add the Collector Machine to the Source Machine's trustedhosts:

   ```
   Set-Item wsman:localhost/client/trustedhosts 192.168.150.133
   ```

   Restart the service for changes to take effect:

   ```
   Restart-Service WinRM
   ```
2. Check if the service is running:

   ```
   winrm get winrm/config
   ```

   `AllowRemoteAccess = true` signifies that the service is running.

   ```
   ...omitted...
           AllowRemoteAccess = true
       Winrs
           AllowRemoteShellAccess = true
   ...omitted...
   ```
3. Test if the Collector Machine (BOSSMANBEN) is reachable using WinRM:

   ```
   Test-WSMan WIN-BO2CT95INDP
   ```

   ```
   wsmid           : http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd
   ProtocolVersion : http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd
   ProductVendor   : Microsoft Corporation
   ProductVersion  : OS: 0.0.0 SP: 0.0 Stack: 3.0
   ```

   WinRM is **enabled by default** on Windows Server 2012 and up. This is just a measure to check if the Collector Machine is indeed reachable.

### **ii. Add the Collector Machine to the Event Log Readers groups**

#### **In the Source Machine (MSEDGEWIN10):**

1. Open the **Local Users and Groups**:
   * Press `Win` + `R` then enter `lusrmgr.msc`
2. Navigate to `Local Users and Groups (Local)` **>** `Groups`:
   1. Right-click `Event Log Readers` and select `Properties`
   2. Select `Add...`
3. Select `Object Types...` then check the box, `Computers`
4. `Enter the object names to select` -- "***WIN-BO2CT95INDP***"
   * Select `Check Names` for good measure.
5. Select `OK` when done.

### **iii. Create Subscriptions using Event Viewer**

#### **In the Collector Machine (WIN-BO2CT95INDP):**

Open the **Event Viewer** -- Press `Win` + `R` then enter gpedit `eventvwr.msc` and on the left panel, right-click on `Subscriptions` then select `Create Subscription...`

1. `Subscription Name` -- Remote Security Logs
2. `Description` -- Security Logs from the Domain Computer, MSEDGEWIN10
3. `Destination log` -- Forwarded Events
   * Custom logs could be created but `Forwarded Events` is selected by default.
   * Click [here](https://app.gitbook.com/s/-Mfagag8d4yY8yveDJY3/projects/blue-team/Custom-evtx-Logfiles.html) to create custom logs.
4. Select `Subscription type and source computers`:

   If you choose `Collector initiated`, then select `Select Computers...`

   1. Select `Add Domain Computers...`
   2. `Enter the object name to select` -- "***MSEDGEWIN10***"
   3. Select `Check Names` for good measure.
   4. Select `OK`
   5. Select `Test` for good measure.
   6. Select `OK`

   For `Source initiated`, select `Select Computer Groups...` then do the following extra steps on the Source Machine

   1. Press `Win` + `R` then enter `gpedit.msc`
      1. Navigate to `Computer Management` **>** `Administrative Templates` **>** `Windows Components` **>** `Event Forwarding`
      2. Right-click on `Configure target Subscription Manager` then select `Edit`
      3. Choose `Enabled`
      4. Under `Options`, beside `SubscriptionManagers`, press `Show...`
      5. Enter `Server= http://win-bo2ct95indp.bossmanben.local:5985 /wsman/SubscriptionManager/WEC, Refresh=30`
      6. Press `OK`
      7. Press `OK`
   2. Open **PowerShell** or **cmd** the run `gpupdate /force`

   For `Source initiated`, do the following on the Collector Machine (WIN-BO2CT95INDP)

   1. Open **PowerShell** or **cmd** then run `wecutil quick-config`         
5. Select `Select Events...`:
   1. `Logged` -- "***Any time***"
   2. `Event level` -- ***Critical***, ***Error***, ***Information***, ***Warning***
   3. Choose `By log` -- ***Windows*** -> ***Security***
   4. Filter **Event IDs** -- 4624, 4657, 4688, 4698, 4720, 4722, 4724, 4732, 4738, 4769
   5. Select `OK`
6. Select `Advanced...`:

   1. `User Account` -- Choose `Machine Account`
   2. `Event Delivery Optimization` -- Choose `Minimize Latency`
   3. Select `OK`

   | OPTION             | DESCRIPTION                          | INTERVAL                     |
   | ------------------ | ------------------------------------ | ---------------------------- |
   | Normal             | Does not conserve bandwidth          | 15 minutes via pull delivery |
   | Minimize Bandwidth | Bandwidth for delivery is controlled | 6 hours via push delivery    |
   | Minimize Latency   | Delivery with minimal delay          | 30 seconds via push delivery |
7. Select `OK`
8. Right-click on the newly created subscription then select `Runtime Status`:

   ```
   [MSEDGEWIN10.bossmanben.local] - Error - Last retry time: 7/17/2019 8:27:52 PM. 
   Code (0x138C): <f:ProviderFault provider="Event Forwarding Plugin" path="C:\Windows\system32\wevtfwd.dll"
   ```

#### **In the Source Machine (WIN-BO2CT95INDP)**

1. Run `wevtutil`:

   ```
   wevtutil get-log Security
   ```

   ```
   name: Security
   enabled: true
   type: Admin
   owningPublisher:
   isolation: Custom
   channelAccess: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
   logging:
     logFileName: %SystemRoot%\System32\Winevt\Logs\Security.evtx
     retention: false
     autoBackup: false
     maxSize: 20971520
   publishing:
     fileMax: 1
   ```
2. Add the **Network Service Account** (S-1-5-20) to the `channelAccess` field:

   ```
   wevtutil set-log Security /ca:"O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)"
   ```

   * WinRM runs under the ***Network Service Account*** which had no access to the **Security Logs**

#### **Going back to the Collector Machine (WIN-BO2CT95INDP)**

1. Go to the **Event Viewer**:
   * Press `Win` + `R` then enter gpedit `eventvwr.msc`
2. On the left panel, go to `Subscriptions` then select the recently created subscription
3. On the right panel, under the ***subscription name***, select `Retry`
4. Right-click on the recently created subscription then select `Runtime Status`:

   ```
   [MSEDGEWIN10.bossmanben.local] - Active - : No additional status.
   ```

   * An Event with **ID 100 (Name="SubscribeSuccess")** will appear on ***Microsoft-Windows-Event-ForwardPlugin/Operational*** in the Source Machine (MSEDGEWIN10)

**Finally, Wait for logs to be sent to the Forwarded Events logs**

**NOTE(S)**:

* TImestamps are preserved
* Log contents are preserved

## **REFERENCES:**

```
- https://www.vkernel.ro/blog/how-to-configure-windows-event-log-forwarding?fbclid=IwAR1bQ9VpgL--PWaqvEWcJBduR3xJ2UnBBhZmO7UGef-NXcKN9PCINZ3gmQ0
- https://www.itprotoday.com/strategy/q-what-are-some-simple-tips-testing-and-troubleshooting-windows-event-forwarding-and?fbclid=IwAR3ceGoJU-jgkD2U_rVo2FmQee5M0spvE85lZRVw0FHv4YFTphLaX-5JJe8
- https://rockyprogress.wordpress.com/2011/12/04/security-event-log-collection-from-a-domain-controller/?fbclid=IwAR01Puy9Wvr4eCQeV828raqfLesYJwVTw_8EAmDgvJIKYBVWoaT3giv24PA
- https://blogs.technet.microsoft.com/supportingwindows/2016/07/18/setting-up-a-source-initiated-subscription-on-an-event-collector-computer/?fbclid=IwAR2JagIePrComWaIcZknK_92Igakb4_jvnrmJJnGpZlFGnms_2PM7z6trJc
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://seymour.hackstreetboys.ph/projects/blue-team/windows-event-fowarder.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.