When to Use

Step 2: Enable Command Line in Process Creation Events

# Registry: Enable command line logging in Event 4688
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" `
  -Name ProcessCreationIncludeCmdLine_Enabled -Value 1 -PropertyType DWORD -Force

# GPO: Computer Configuration → Administrative Templates → System → Audit Process Creation
# "Include command line in process creation events" → Enabled

Step 3: Configure Event Log Sizes

# Increase Security log to 1 GB (default 20 MB is insufficient)
wevtutil sl Security /ms:1073741824

# Increase PowerShell Operational log
wevtutil sl "Microsoft-Windows-PowerShell/Operational" /ms:536870912

# Set log retention to overwrite as needed
wevtutil sl Security /rt:false

# Configure via GPO:
# Computer Configuration → Administrative Templates → Windows Components
#   → Event Log Service → Security
# Maximum log file size (KB): 1048576

Step 4: Configure Windows Event Forwarding (WEF)

# On collector server:
wecutil qc /q

# Create subscription for high-value events:
# Event IDs: 4624 (logon), 4625 (failed logon), 4688 (process create),
# 4672 (special privilege), 4720 (user created), 4728 (group membership),
# 7045 (service installed), 1102 (log cleared)

# On source endpoints (GPO):
# Configure WinRM: winrm quickconfig
# Configure event forwarding: Computer Configuration → Admin Templates
#   → Windows Components → Event Forwarding
# Configure target Subscription Manager: Server=http://collector:5985/wsman/SubscriptionManager/WEC

Step 5: Key Event IDs for Detection

Authentication Events:
  4624 - Successful logon (Type 2=Interactive, 3=Network, 10=RemoteInteractive)
  4625 - Failed logon attempt
  4648 - Logon using explicit credentials (RunAs, pass-the-hash indicator)
  4672 - Special privileges assigned (admin logon)
  4776 - NTLM credential validation

Process Events:
  4688 - Process creation (with command line if enabled)
  4689 - Process termination

Account Events:
  4720 - User account created
  4722 - User account enabled
  4724 - Password reset attempted
  4728 - Member added to security group
  4732 - Member added to local group
  4756 - Member added to universal group

Service/System Events:
  7045 - New service installed (persistence indicator)
  1102 - Audit log cleared (evidence tampering)
  4697 - Service installed in the system

Lateral Movement Indicators:
  4648 + 4624(Type 3) - Credential-based lateral movement
  5140 - Network share accessed
  5145 - Network share access check (detailed file share)

Key Concepts

Tools & Systems

• Windows Event Forwarding (WEF): Built-in centralized log collection
• NXLog: Open-source log forwarding agent for Windows events
• Winlogbeat: Elastic Agent for shipping Windows event logs to Elasticsearch
• Palantir WEF Configuration: Open-source WEF subscription templates

Common Pitfalls

• Using basic audit policy instead of advanced: Basic and advanced audit policies conflict. Always use advanced audit policy exclusively.
• Default log size too small: 20 MB Security log fills in minutes on busy servers. Set minimum 1 GB.
• Missing command line logging: Event 4688 without command line content has minimal detection value. Always enable ProcessCreationIncludeCmdLine_Enabled.
• Not forwarding logs: Local event logs are lost when endpoints are wiped by ransomware. Forward to centralized SIEM immediately.