Windows Event Log Readers
Organizations may enable logging of process command lines to help defenders monitor and identify possibly malicious behaviour and identify binaries that should not be present on a system
The tools would then flag any potentially malicious activity, such as the
whoami,netstat, andtasklistcommands being run from a marketing executive's workstation.Many Windows commands support passing a password as a parameter,
if auditing of process command lines is enabled,
this sensitive information will be captured.
We can query Windows events from the command line using the wevtutil utility and the Get-WinEvent PowerShell cmdlet.
Confirming Group Membership
net localgroup "Event Log Readers"Alias name Event Log Readers
Comment Members of this group can read event logs from local machine
Members
-------------------------------------------------------------------------------
logger
The command completed successfully.Searching Security Logs Using wevtutil
wevtutil qe Security /rd:true /f:text | Select-String "/user"We can also specify alternate credentials for
wevtutilusing the parameters/uand/p.
Passing Credentials to wevtutil
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"For
Get-WinEvent, the syntax is as follows. In this example, we filter for process creation events (4688), which contain/userin the process command line.Note: Searching the
Securityevent log withGet-WInEventrequires administrator access or permissions adjusted on the registry keyHKLM\System\CurrentControlSet\Services\Eventlog\Security. Membership in just theEvent Log Readersgroup is not sufficient.
Searching Security Logs Using Get-WinEvent
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}The cmdlet can also be run as another user with the
-Credentialparameter.
Last updated