Forensics Tools

weffles – Threat Hunting/Incident Response Console with Windows Event Forwarding and PowerBI.

WEFFLES is designed to be small and lightweight, both for speed of getting something deployed during an Incident Response and also for the sake of being sustainable in an environment going forward. It’s not necessary to be familiar with the underlying technology of Windows Event Forwarding to set up the solution as it’s scripted out of you.

we need to be able to create and link a GPO that will apply to all of the machines we want in scope of monitoring. I would hope this would include desktops, servers, and domain controllers for the sake of completeness, but the flexibility to link the GPO that enables Windows Event Forwarding to a testing Organizational Unit is also a great way to start.
– A server to act as the Windows Event Collector – I recommend using a dedicated server as the collector, for performance and security reasons. The server does not have to be massive in spec though, even if you have a lot of endpoints you plan to have checking in to it. The log data should not go over 10GB for even large organizations (500k endpoints is my biggest WEFFLES deployment so far) and the solution exports data to CSV files for safekeeping, which are quite small. The main performance need on a collector is memory to hold the log files. We scope the size of the event log as 1GB as it acts as a holding place only before the events get exported to CSV in this solution, but the general rule of thumb is if you wanted a larger event log you need : amount of memory required to run windows and do things like backups + specified event log size.
– PowerBI Desktop – The console/data slicer itself is built using PowerBI Desktop. If you’d rather use another data slicer or the most widely used incident response tool on the planet (Microsoft Excel) the output weffles.csv file can be loaded into many different tools. There is a pre-built weffles.pbix PowerBI Desktop file in the GitHub repo that allows you to use the same data slicer console view I show in this post.

WEFFLES uses the EventLogWatcher(https://pseventlogwatcher.codeplex.com/) script from CodePlex to output the CSV file, and it’s kicked off via ScheduledTask as system startup, so reboot the machine now. The next part takes a while to “cook” so have patience and maybe walk away for 10 minutes as the subscriptions start to work and the script starts to parse the logs.

Download WEFFLES

About the author

Icarus

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this:
000webhost logo