Get usernames

March 13, 2016 · View on GitHub

#Security log #============

#4624 - Logon & Logoff events successful #4625 - Logon unsucceful

Get usernames

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4624"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select -ExpandProperty "#text" -Unique

Get domains

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4624"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(6)}| Select -ExpandProperty "#text" -Unique

Get ips

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4624"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(18)}| Select -ExpandProperty "#text" -Unique

Get process name

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4624"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(17)}| Select -ExpandProperty "#text" -Unique

Get auth package

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4624"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(10)}| Select -ExpandProperty "#text" -Unique

Get workstation name

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4624"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(11)}| Select -ExpandProperty "#text" -Unique

Group by examples

Get usernames

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4624"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select -ExpandProperty "#text" | group

#4648 - login explicit creds

Get logins

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4648"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select -ExpandProperty "#text" -Unique

Get domains

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4648"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(6)}| Select -ExpandProperty "#text" -Unique

get server name

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4648"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(8)}| Select -ExpandProperty "#text" -Unique

get process name

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4648"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(11)}| Select -ExpandProperty "#text" -Unique

4776 - The domain controller attempted to validate the credentials for an account(or local computer)

Get logins

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4776"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(1)}| Select -ExpandProperty "#text" -Unique

Get workstation names

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4776"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(2)}| Select -ExpandProperty "#text" -Unique #5140 - Network share accessed

Get domains

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "5140"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(2)}| Select -ExpandProperty "#text" -Unique

Get usernames

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "5140"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(1)}| Select -ExpandProperty "#text" -Unique

Get ips

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "5140"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select -ExpandProperty "#text" -Unique

Get shares

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "5140"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(7)}| Select -ExpandProperty "#text" -Unique

#5145 - A network share object was checked to see whether client can be granted desired access #5140 - A network share object was accessed

Get domains

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "5145"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(2)}| Select -ExpandProperty "#text" -Unique

Get ips

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "5145"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select -ExpandProperty "#text" -Unique

Get shares

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "5145"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(7)}| Select -ExpandProperty "#text" -Unique

Get files

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "5145"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(9)}| Select -ExpandProperty "#text" -Unique

4663 - An attempt was made to access an object

4670 - Permissions on an object were changed

4656 - A handle to an object was requested

Get users

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4663"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(1)}| Select -ExpandProperty "#text" -Unique

Get domain

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4663"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(2)}| Select -ExpandProperty "#text" -Unique

Get object type

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4663"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select -ExpandProperty "#text" -Unique

Get Object Name

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4663"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(6)}| Select -ExpandProperty "#text" -Unique

Get process name

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "4663"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(11)}| Select -ExpandProperty "#text" -Unique

#Task Scheduler Log #=================

Task-scheduler 100 - task run

101 - task failed to run

Get task names

Get-WinEvent -path .\Microsoft-Windows-TaskScheduler%4Operational.evtx | Where { $_.id -eq "100"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(0)}| Select -ExpandProperty "#text" -Unique

Get users

Task Scheduler 200 - action run

Get task names

Get-WinEvent -path .\Microsoft-Windows-TaskScheduler%4Operational.evtx | Where { $_.id -eq "200"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(0)}| Select -ExpandProperty "#text" -Unique

Get task action

#Terminal Services Local Session Log #==================

Get ips

Get-WinEvent -Path ".\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" | where { $_.id -eq "21"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Address")}| Select -ExpandProperty "#text" -Unique

Get users

#Terminal Services Remote Connection Manager #================

1149 - successful login(not really, unsucceful attempts also logged as successful)

Get user names

Get-WinEvent -Path ".\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" | where { $_.id -eq "1149"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Param1")} | Select -ExpandProperty "#text" -Unique

Get domains

Get srcip

#Firewall Log #===========

FW 2004 - new exception rule was added

2005 - existing rule modified

Get Rulenames

Get-WinEvent -Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where { $_.id -eq "2004"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(1)}| Select -ExpandProperty "#text" -Unique

Get application path

Get service name

Get modified application

Get action

3 = allow

Get remote port

Get-WinEvent -Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where { $_.id -eq "2004"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(8)}

get src ips

Get-WinEvent -Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where { $_.id -eq "2004"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(11)}

get dest ips

Get-WinEvent -Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where { $_.id -eq "2004"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(12)}

get modifying user

short sid = SYSTEM

Get-WinEvent -Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where { $_.id -eq "2004"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(21)}

FW 2006 - rule was deleted

get rulenames

Get-WinEvent -Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where { $_.id -eq "2006"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(1)}

get modifying user

Get-WinEvent -Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where { $_.id -eq "2006"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(2)}

get modifyig application

Get-WinEvent -Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where { $_.id -eq "2006"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(3)}

FW 2011 - incoming connection was blocked

get application

Get-WinEvent -Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where { $_.id -eq "2011"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(1)}| Select -ExpandProperty "#text" -Unique

get port

get modifying user

FW 5156

Get-WinEvent -path .\Security.evtx | Where { $_.id -eq "5156"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").ItemOf(0)}| Select -ExpandProperty "#text" -Unique

System log

==========

7045 - new service installed in system

Get service name

Get-WinEvent -Path ".\System.evtx" | where { $_.id -eq "7045"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(0)}| Select -ExpandProperty "#text" -Unique

Get service path

Get-WinEvent -Path ".\System.evtx" | where { $_.id -eq "7045"} | Foreach {([xml]$ _.ToXml()).GetElementsByTagName("Data").itemOf(1)}| Select -ExpandProperty "#text" -Unique