If an attacker is moving laterally through your Windows network right now, and you can’t see their steps, you’ve already lost. Most organizations are blind to post-compromise activity because they aren’t collecting the right logs.
The fix is Windows Event Forwarding (WEF). This isn’t optional; it’s foundational. You need to pull Security, System, and PowerShell event logs off your endpoints and into your SIEM. Leaving logs sitting on local machines is a disaster waiting to happen. Attackers know this and will clear them the moment they get access.
Start by ensuring the right audit policies are enabled to generate these critical logs. Without them, there’s nothing to forward. For example:
auditpol /set /category:”Logon/Logoff” /success:enable /failure:enable auditpol /set /category:”Account Logon” /success:enable /failure:enable auditpol /set /category:”Object Access” /success:enable /failure:enable
Then, configure WEF to centralize these events. This gives you visibility into everything from failed logins to suspicious process execution. If you’re not doing this, you are missing critical detection capabilities.
Go configure WEF today.
The fix
# Enable audit policies
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Object Access" /success:enable /failure:enable
auditpol /set /category:"Privilege Use" /success:enable /failure:enable
# Forward to SIEM via Windows Event Forwarding or agent
Reference: CIS Windows Server Benchmark 17