Get system start and stop information.
1074 is Logged when an app (ex: Windows Update) causes the system to restart, or when a user initiates a restart or shutdown.
6006 is Logged as a clean shutdown. It gives the message "The Event log service was stopped.
6005 when the system was last turned on. It gives the message "The Event log service was started."
6008 unexpected shutdown
get-eventlog -logname system | where-object {$_.eventid -eq 6005 -or $_.eventid -eq 6006 -or $_.eventid -eq 1074 -or $_.eventid -eq 1076 -or $_.eventid -eq 6008}
1074 is Logged when an app (ex: Windows Update) causes the system to restart, or when a user initiates a restart or shutdown.
6006 is Logged as a clean shutdown. It gives the message "The Event log service was stopped.
6005 when the system was last turned on. It gives the message "The Event log service was started."
6008 unexpected shutdown
Account Logon Logoff info [fetch account info locally from registry]
$logs = get-eventlog system -source Microsoft-Windows-Winlogon
$res = @()
ForEach ($log in $logs) {
if($log.instanceid -eq 7001)
{$type = "Logon"}
Elseif ($log.instanceid -eq 7002){$type="Logoff"}
Else {Continue}
$res += New-Object PSObject -Property @{Time = $log.TimeWritten; "Event" = $type; User =(gp "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$($(New-Object System.Security.Principal.SecurityIdentifier $Log.ReplacementStrings[1]))")."ProfileImagePath".split("\")[-1]}
}
$res | Select-Object -Property Time,Event,User
event id 7001 is Logon, event id 7002 is Logoff (default username is not trusted hence, ReplacementStrings is used to get actual user SID, then map it to registry to get logon name.)
Time restrictions
get-eventlog system -source Microsoft-Windows-Winlogon -After (Get-Date).AddDays(-7);
Run as administrator Event History [Windows 10]
Event ID - 4776
Message: The computer attempted to validate the credentials for an account.
Logon Account: administrator
Event ID - 4648 [also use XML view]
Message: A logon was attempted using explicit credentials.
Keywords: Audit Success
Account Whose Credentials Were Used:
Account Name: Administrator
Process Information:
Process Name: C:\Windows\System32\consent.exe
Network Information:
Network Address: ::1
Event ID - 4624 [also use XML view]
Message: An account was successfully logged on.
Logon Information:
Logon Type: 2
New Logon:
Security ID: Hostname\Administrator
Account Name: Administrator XML,[TargetUserName]
Process Information:
Process ID: 0x2f00
Process Name: C:\Windows\System32\consent.exe XML [ProcessName]
Event ID - 4798 [also use XML view]
Message: A user's local group membership was enumerated.
Subject:
Security ID: Domain\user_requesting_run_as_admin
Account Name: user_requesting_run_as_admin
Account Domain: Domain
Event ID - 4798 [also use XML view]
Message: A user's local group membership was enumerated.
Subject:
Security ID: Domain\user_requesting_run_as_admin
Account Name: user_requesting_run_as_admin
Account Domain: Domain
User:
Security ID: hostname\Administrator
Account Name: Administrator
Process Information:
Process Name: C:\Windows\explorer.exe
Script to get 4624 logon event as 'administrator', ensure service is consent.exe. The script is taken from the blog post below in references
$Events = Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624] and EventData[Data[@Name='TargetUserName'] and Data = 'administrator']]"
Get-TimeZone | select Standardname
# Parse out the event message data
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
# View the results with your favorite output method
#$Events | Select-Object * | Out-GridView
$Events| Select-Object -Property TimeCreated,Targetusername,logontype,processname | Format-Table
The script below is to check who enumerated 'administrator' account and when using which process. This is user enumeration, not authentication.
Looks for data in last 24 hours and where user != hostname$
$Events = Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4798 and TimeCreated[timediff(@SystemTime) <= 86400000]] and EventData[Data[@Name='SubjectUserName'] != '$(hostname)$'] and EventData[Data[@Name='TargetUserName'] and Data = 'administrator']]"
Get-TimeZone | select Standardname
# Parse out the event message data
ForEach ($Event in $Events) {
# Convert the event to XML
$eventXML = [xml]$Event.ToXml()
# Iterate through each one of the XML message properties
For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) {
# Append these as object properties
#$eventXML.Event.EventData.Data[$i].name
#$eventXML.Event.EventData.Data[$i].'#text'
Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'
}
}
# View the results with your favorite output method
#$Events | Select-Object * | Out-GridView
$Events| Select-Object -Property TimeCreated,Targetusername,SubjectUserName,callerprocessname,keywordsdisplaynames | Format-Table
Reference
https://www.codetwo.com/admins-blog/how-to-check-event-logs-with-powershell-get-eventlog/
https://blogs.technet.microsoft.com/ashleymcglone/2013/08/28/powershell-get-winevent-xml-madness-getting-details-from-event-logs/
No comments:
Post a Comment