BeefEater is a double downed version of HEG. It generates way more events with less hand holding. BeefEater is not for casuals. This version of HEG is geared for people who need to see a multitude of events that might only have slight variations.
e.g. What events would be generated from modifying a registry key in cmd versus modifying it in JScript? In that scenario would you get better telemetry from Windows Security or Sysmon?
-
Read the wiki over on the main HEG repo. For quick start:
- Download and extract repo
- Make sure folder containg main script is called 'HEG' (\HEG\HEG.ps1)
- Launch PowerShell as admin
- Locate and run
HEG.ps1 - After it completes, check the Logs directory