Hi gents,
I'm currently working on WEF based on Jessica Payne's WEFFLES.
Everything is working - I can see my collector gets the events I want from endpoints. Though one thing I noticed is that forwarded events only show SID instead of account name. Tried to compare the local copy of the event and it shows the username.
I'm trying to figure why but unable to find anything relevant in the Internet.
Sample forwarded event:
local copy of the event on workstation:
akosijesyang - the conqueror