Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.specterops.io/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The WindowsEventForwarding command enumerates Windows Event Forwarding (WEF) configuration from the registry. WEF allows centralized collection of event logs from multiple systems to a collector server. Understanding WEF configuration reveals what events are being forwarded and to where, indicating the organization’s logging and monitoring posture.

Syntax

Seatbelt.exe WindowsEventForwarding

Remote Execution

Seatbelt.exe WindowsEventForwarding -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns WEF configuration:
  • WEF enabled/disabled status
  • Subscription configurations
  • Collector server addresses
  • Event log sources being forwarded
  • Subscription status

Use Cases

  • Determine if logs are centrally collected
  • Identify collector servers (potential high-value targets)
  • Understand monitoring visibility
  • Assess detection capabilities
  • Plan operations to minimize logged events

Example Output

====== WindowsEventForwarding ======

[*] Windows Event Forwarding Configuration:

Server                    : wef-collector.corp.local
SubscriptionEnabled       : True

Active Subscriptions:

Subscription Name         : Security Events
Description              : Forward critical security events
Enabled                  : True
ConfigurationMode        : Custom
URI                      : http://wef-collector.corp.local:5985/wsman
MaxItems                 : 5
MaxLatencyTime           : 1000
Query                    : <QueryList><Query Id="0"><Select Path="Security">*[System[(EventID=4624 or EventID=4625 or EventID=4648)]]</Select></Query></QueryList>

Subscription Name         : PowerShell Events
Description              : Forward PowerShell script block logging
Enabled                  : True
ConfigurationMode        : Custom
URI                      : http://wef-collector.corp.local:5985/wsman
Query                    : <QueryList><Query Id="0"><Select Path="Microsoft-Windows-PowerShell/Operational">*[System[(EventID=4104)]]</Select></Query></QueryList>
Example when not configured: 
====== WindowsEventForwarding ======

[*] Windows Event Forwarding is NOT configured
[*] No active subscriptions found

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

Low detection risk - reads WEF registry configuration.
  • Registry Access: Queries HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding
  • WMI Activity: Remote execution generates WMI events
  • Event Logs: Registry access may be logged if auditing enabled

WEF Architecture Understanding

Source Computer (Event Forwarder):
  • Sends events to collector
  • Configured via subscriptions
  • Uses WinRM protocol (HTTP/HTTPS)
Collector Server:
  • Receives forwarded events
  • Aggregates logs centrally
  • Typically SIEM or log server
Subscription Types:
  • Source-initiated: Computers contact collector
  • Collector-initiated: Collector pulls from computers
Common Ports:
  • HTTP: 5985
  • HTTPS: 5986

Critical Events Often Forwarded

Security Events:
  • 4624 - Successful logon
  • 4625 - Failed logon
  • 4648 - Explicit credential logon
  • 4688 - Process creation
  • 4672 - Special privilege assigned
  • 4720 - User account created
  • 4732 - Member added to security group
PowerShell:
  • 4104 - Script block logging
  • 4103 - Module logging
Sysmon:
  • 1 - Process creation
  • 3 - Network connection
  • 7 - Image loaded
  • 10 - Process access