Get 80% off our new product SpecterInsight using the discount code: SPECTER2025
Checkout the release notes for Version 4.4.0!

Get Credentials From Event Log

Description

Looks for credentials accidentally stored in Windows Event Logs such as 4688 on local or remote systems.

Overview

This script parses through event logs looking for passwords stored in events. An example is 4688 process creation event logs that can be configured to store commandline arguments for all process execution events. The “Commandline” field can contain passwords when administrators use tools such as PsExec.exe, WMIC.exe, and net.exe. For example, the following command shows how schtasks.exe can be used with an explicit username and password:

schtasks.exe /CREATE /S 192.168.1.103 /RU SYSTEM /U administrator@lab.net /P "1qaz!QAZ" /SC ONCE /ST 23:59 /TN Test /TR hostname /F

Parameters

  • ComputerName: System to search through logs.
  • Username: The username to authenticate with.
  • Password: The password to authenticate with.

Dependencies

  • EventLog

Pre-Requisites

  • Administrator access or credentials.

Example Output

Username              Password EventTimestamp       Computer         Commandline
--------              -------- --------------       --------         -----------
administrator@lab.net 1qaz!QAZ 8/16/2024 4:02:14 PM WKST-001.lab.net "C:\Windows\System32\Wbem\WMIC.exe" /node:192.168.1.2 /user:administrator@lab.net /password:1qaz!QAZ computersystem get
administrator@lab.net 1qaz!QAZ 8/16/2024 4:03:24 PM WKST-001.lab.net "C:\Windows\system32\schtasks.exe" /CREATE /S 192.168.1.103 /RU SYSTEM /U administrator@lab.net /P 1qaz!QAZ /SC ONCE /ST 23:59 /TN Test /TR hostname /F
administrator@lab.net 1qaz!QAZ 8/22/2024 3:59:51 PM WKST-001.lab.net "C:\Windows\System32\Wbem\WMIC.exe" /node:192.168.1.2 /user:administrator@lab.net /password:1qaz!QAZ computersystem get