FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Active Directory Enumeration & Attacks
    • Active Directory Enumeration & Attacks
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • Malicious Document Analysis - HTB Notes
    • Introduction
    • PDF Analysis
    • Office Files Analysis
    • Excel Macro Analysis
    • RTF Documents Analysis
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
    • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Active Directory Scenarios)
    • AD Scenario 1
      • Lab Setup
      • The Attack
      • The Investigation
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
Powered by GitBook
On this page
  1. WEInnovate Training
  2. Build ELK Lab

Enable Windows Audit Policy & Winlogbeat

PreviousSend Logs from Winlogbeat through Logstash to ELKNextElasticsearch API and Ingestion Pipeline

Last updated 6 months ago

CtrlK

Prerequisites:

  • Windows Machine: https://info.microsoft.com/ww-landing-windows-10-enterprise.html

  • Windows Server: https://info.microsoft.com/ww-landing-windows-server-2022.html

  • Ubuntu Machine

We have successfully set up Elasticsearch and Kibana on the Ubuntu machine. The next step is to install Winlogbeat and configure it to send logs to the ELK stack. However, before proceeding with the installation, we need to apply specific policies to the Sales OU that was previously created.

  • Process Creation Logging:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > 
System Audit Policies - Local Group Policy Object > Detailed Tracking

Let's call it Audit Logging.

  • Logon and Authentication Auditing:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > 
System Audit Policies - Local Group Policy Object > Logon/Logoff

Next, we need to run the following command on the client machine to apply the policy:

gpupdate /force

Next, we need to configure Winlogbeat on the Windows Client.

Next, let's start the service:

Start-Service winlogbeat
Get-service winlogbeat

Next, we will proceed with testing the configuration.

.\winlogbeat.exe test config -c .\winlogbeat.yml

Before sending logs, let's check the connection to the configured output (Elasticsearch) is established.

.\winlogbeat.exe test output

This command verifies if Winlogbeat can successfully send logs to the configured destination.

Next, we need to start Winlogbeat using the winlogbeat.yml configuration file to capture and display real-time logs in the console.

.\winlogbeat.exe -c .\winlogbeat.yml -e
  • .\winlogbeat.exe → Runs the Winlogbeat program to collect windows logs.

  • -c .\winlogbeat.yml → Uses the winlogbeat.yml file for configuration (tells Winlogbeat where to send logs, like Elasticsearch).

  • -e → Shows log messages on the screen instead of saving them to a file.

We now need to confirm whether ELK successfully receives logs from Winlogbeat.

From Stack Management → Index Management

Let's apply filters based on specific Event IDs.

  • 4688:A new process has been created.

  • 4624: An account was successfully logged on.

  • 4672: Special privileges assigned to new logon.

Let's create a dashboard that visualizes data of the Client01 machine.