• Open command prompt as administrator , go to the winlogbeat path ( C:\ProgramData\Elastic\Beats\winlogbeat ) and run the commands as shown below.

• Now run the command winlogbeat -e , to start the debugger to verify if any configuration error are present or not. You will get a similar result as shown below.

• The above result shows that “ data path already locked by another beat “ , so lets fix this issue.
• First check the services.msc for multiple services running on winlogbeat if nothing is present there , then open task manager → go to details tab and check whether any multiple winlogbeats tasks running or not if nothing present there , finally go to the following path ( C:\ProgramData\Elastic\Beats\winlogbeat\data ) using command prompt and rename or remove ( winlogbeat.lock ). Note while performing this action winlogbeat service must be stopped.
• Once the above process is done , run the debug command again and you should see the successful results.
• Finally it prompt’s for “ Terminate batch job “ → Click Y → Press Enter key.
• Then start the winlogbeat service again using ( net start winlogbeat ) and exit the command prompt.

Now all the endpoints are configured successfully. Lets start with the basic detection.

• Open command prompt and run the below commands.

1. hostname
2. whoami
3. whoami /priv
4. tasklist /v

• Now lets login to the security onion console and see if we can detect this by pivoting to kibana. Access the kibana , under tools in the console as shown below. ( Kibana console log-in credentials are same as your security onion console credentials )

• Now click on the needed events , hover the mouse on it and you will see an add icon projecting. Click on it to add that as a filter. So to find our executed commands in kibana filter it as shown below.

• Under process creation filter several logs will be shown , click on any of the log and find the command line exe. Add that process name in the filter as shown below.