Configuring Windows Event Forwarding with Sysmon

This is a sample basic configuration of setting up Windows Event forwarding on a Windows 2012R2 server. This is all on my home test network where I have direct access to both the client workstation and server for configuration. It will go over the basics of setting up Sysmon to monitor for certain events and we will send these over to our collector server when it is running. Finally, we will verify logs are now showing up as expected.

I hope to expand on this as I move these logs to Splunk and include standard Windows Event IDs to collect even more data for analysis. Once I have this in an acceptable place, I will start to test it against known malware and possibly some emerging malware. It would also be helpful to automate these steps through Group Policy so each workstation is not having these commands ran on them.

Client Computer:

  1. Open an administrative command prompt like on the server.
  2. Run the following command and answer Yes to the questions.
    1. Winrm quickconfig
  3. Next open Computer Management. (Win + R and type compmgmt.msc).
  4. Expand System Tools > Local Users and Groups > Groups.
  5. Right-click on Event Log Readers and select Add to Group.
  6. On the new window, select Add…
  7. Select Object Types… and checkmark Computers.
  8. Type the name of the server that we will be using.
  9. Select OK, Apply and OK to save these settings.
  10. Next, let’s configure Sysmon to monitor specific events in Windows. We will use a quick sample Sysmon config from SwiftOnSecurity.
    1. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
    2. https://github.com/SwiftOnSecurity/sysmon-config
    3. Command: sysmon.exe -accepteula -i sysmonconfig-export.xml
  11. Now we need to add the Event Log Readers group to Channel Access. The easiest way to view it is with the following commands.
    1. Error: Error - Last retry time: 3/10/2016 1:17:37 PM. Code (0x138C): <f:ProviderFault provider="Event Forwarding Plugin" path="C:\Windows\system32\wevtfwd.dll" xmlns:f="http://schemas.microsoft.com/wbem/wsman/1/wsmanfault"><t:ProviderError xmlns:t="http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog">Windows Event Forward plugin can't read any event from the query since the query returns no active channel. Please check channels in the query and make sure they exist and you have access to them.</t:ProviderError></f:ProviderFault> Next retry time: 3/10/2016 1:57:37 PM.
    2. This will only show up if you already setup the subscription and the following commands will remove this error.
    3. Command: wevtutil gl Microsoft-Windows-Sysmon/Operational
    4. This will display the properties for our Sysmon logs.
    5. We will basically copy the string on ChannelAccess starting with “O:BAG:” and add the SID (Security Identifier) to the Event Log Readers group (S-1-5-20). This can be verified in the registry by checking the SIDs at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.
    6. Command: wevtutil sl Microsoft-Windows-Sysmon/Operational /ca:O:BAG:SYD:(A;;0xf0007;;;SY)(A;;0x7;;;BA)(A;;0x1;;;BO)(A;;0x1;;;SO)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20)
    7. Source: https://rockyprogress.wordpress.com/2011/12/04/security-event-log-collection-from-a-domain-controller/
  1. If you already have the subscription configured and encountered the above error, you will need to wait about 15-20 minutes before the logs flow to the server. (Seriously, I almost didn’t believe it until I waited about 30 minutes and was tempted to remove my already existing subscription and add it again.)
  2. Continue onto the Server Configuration below.

Server Configuration:

  1. Open an administrative command prompt.
  2. Run the following command and select Yes.
    1. Command: Wecutil qc
    2. Continue onto the Client Configuration.
  3. Here we will install Sysmon with the following command on an administrative command prompt. We will not be configuring event reporting although this would be easy enough and give us additional information about the health of our server.
    1. Command: Sysmon.exe -accepteula
  4. Do not continue until Client Configuration is done. Once you have Sysmon and Windows Event Collector running, we will now create the subscription which will begin to pull the event logs from the client computer (Collector Initiated). To do this we will need to open Event Viewer.
    1. We have several straightforward ways to open Event Viewer. One is to right-click on the Start Menu icon and select Event Viewer or Computer Management.
    2. From there, we will go to Subscriptions and Create Subscription…
  5. First, we need to select our test computer by name and select the events that we want to capture.
  6. When we Select Events…, we will need to choose the level and which event logs to monitor. Right now, we have only setup for Sysmon and it should look like the following.
  7. If we have followed these steps correctly, we should now have events showing up on the server and checking Event Viewer; We do!

Sources:

https://msdn.microsoft.com/en-us/library/cc748890(v=ws.11).aspx

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

https://github.com/SwiftOnSecurity/sysmon-config

https://rockyprogress.wordpress.com/2011/12/04/security-event-log-collection-from-a-domain-controller/