Event Log Readers
Event Log Readers
This group is self-explainatory.
In many cases, the auditing of process creation events and corresponding command line values is enabled. In that case, this information is saved to the Windows security event log as event ID 4688: A new process has been created.
These logs can sometimes contain credentials.
Using wevutils to search in security logs
PS C:\hacker> wevtutil qe Security /rd:true /f:text | Select-String "/user"
Process Command Line: net use T: \\fs01\backups /user:tim MyStr0ngP@sswordwevtutil qe Security: Queries events in the "Security" log using thewevtutilutility./rd:true: Reads the events in descending order (most recent first)./f:text: Outputs the events in text format.| Select-String "/user": Pipes (|) the output toSelect-String, which filters lines containing the string "/user
We can also pass it credentials to query the security logs of a remote machine
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"/r:share01: Specifies the remote computershare01to query the event log from./u:julie.clay: Specifies the usernamejulie.clayto authenticate on the remote machine./p:Welcome1: Specifies the passwordWelcome1for authentication.
Using Get-WinEvent to search in security logs
The cmdlet can also be run as another user with the -Credential parameter.
Note on logs
In the example above, we query local logs.
When you use AD, you still have local security logs on each domain-joined machine, so this attack still applies because these logs will continue to capture local events.
AD logs on Domain Controllers capture domain-level activities. Both types of logs coexist and provide different layers of insight.
Last updated