forked from nsacyber/Event-Forwarding-Guidance
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.txt
38 lines (27 loc) · 1.34 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
The scripts in this directory need to run in a particular order if starting
for the first time. These steps will setup Windows Event Collection subscriptions.
The targeted groups are "Domain Computers" and "Domain Controllers". These groups
can be changed later.
1 - Create Custom Views
.\creatCV.ps1 -dir ..\Subscriptions\NT6 -odir ..\CustomViews\Monitor
2 - Add "Domain Computers" and "Domain Controllers" SIDs to subscriptions
.\Fill-GroupName.ps1 -sid "Domain Computers" -dir ..\Subscriptions\NT6
Follow by
.\Fill-GroupName.ps1 -sid "Domain Controllers" -dir ..\Subscriptions\NT6 -append
3 - Add Domain name for Pass the Hash Filter
This is a manual edit.
- Navigate to ..\Subscriptions\NT6\ and open AccountLogons.xml with an editor
- Replace the word 'TEST' on Line 46 and 60 with your Domain's Name
Example:
..snip..
*[EventData[Data[@Name='TargetDomainName']!='TEST']]
..snip..
with
..snip..
*[EventData[Data[@Name='TargetDomainName']!='MYDOMAINNAME']]
..snip..
4 - Install subscriptions (this step assumes you have configured WinRM and Windows Event Collection services, if not read section 2.3 of security guidance)
.\subscriptionUtil.ps1 -install -dir ..\Subscriptions\NT6 -cdir ..\CustomViews\Monitor
5 - Open up Event Viewer (eventvwr.msc)
See Subscription and Custom Views for Verification
6 - Ready!