bpatty

Brian's Pentesting and Technical Tips for You

View the Project on GitHub 7MinSec/bpatty

WEFFLES

Intro

This is an abbreviated install/setup guide for WEFFLES (Windows Event Logging Forensic Logging Enhancement Services) that is described in awesome detail here.

Requirements

Topology

I made a simple, small lab setup with a domain of i.got.worms and these machines:

GPO config

In my domain of i.got.worms I created a workstation computer group called IGW-Workstations and a server computer group called IGW-Servers.

Windows Event Forwarding GPO

I created this new GPO and linked it to IGW-Workstations, IGW-Servers and Domain Controllers. The settings are as follows:

Setup event collector

  1. On your event collector machine (again, for me that’s igw-srv01.i.got.worms box), download the zip of the WEFFLES GitHub repo to the desktop.

  2. Execute the wefsetup.ps1 script.

  3. Reboot the collector server.

  4. Wait about 10-15 minutes for the events to start “cooking.”

  5. Open Event Viewer and under Subscriptions, right-click on CoreEvents and click Runtime Status. A box will pop up with a Subscription Status and then below that a Source computers list of machines that should start checking in to report events. If they don’t, check the GPO settings above and make sure that your Configure target Subscription Manager begins with Server= because I missed that the first time. Also, make sure your clients in your AD environment are all time-synch’d properly. Mine weren’t and it took me way too long to figure that out. Check time sync articles like this for help on the VMWare side, and this on the Windows side.

  6. In Event Viewer, also open Windows Logs > Forwarded Events to verify the events are pulling in from machines in the domain.

  7. Check C:\WEFFLES directory and ensure that you’ve got a weffles.xls and bookmarks.stream file. If you don’t, double-check that you have .NET 3.5 installed. I didn’t, and that ended up being my issue!

Review collected data

On the collector machine: