Description
Looks for credentials accidentally stored in Windows Event Logs such as 4688 on local or remote systems.
Overview
This script parses through event logs looking for passwords stored in events. An example is 4688 process creation event logs that can be configured to store commandline arguments for all process execution events. The “Commandline” field can contain passwords when administrators use tools such as PsExec.exe, WMIC.exe, and net.exe. For example, the following command shows how schtasks.exe can be used with an explicit username and password:
schtasks.exe /CREATE /S 192.168.1.103 /RU SYSTEM /U [email protected] /P "1qaz!QAZ" /SC ONCE /ST 23:59 /TN Test /TR hostname /F
Parameters
- ComputerName: System to search through logs.
- Username: The username to authenticate with.
- Password: The password to authenticate with.
Dependencies
- EventLog
Pre-Requisites
- Administrator access or credentials.
Example Output
Username Password EventTimestamp Computer Commandline
-------- -------- -------------- -------- -----------
[email protected] 1qaz!QAZ 8/16/2024 4:02:14 PM WKST-001.lab.net "C:\Windows\System32\Wbem\WMIC.exe" /node:192.168.1.2 /user:[email protected] /password:1qaz!QAZ computersystem get
[email protected] 1qaz!QAZ 8/16/2024 4:03:24 PM WKST-001.lab.net "C:\Windows\system32\schtasks.exe" /CREATE /S 192.168.1.103 /RU SYSTEM /U [email protected] /P 1qaz!QAZ /SC ONCE /ST 23:59 /TN Test /TR hostname /F
[email protected] 1qaz!QAZ 8/22/2024 3:59:51 PM WKST-001.lab.net "C:\Windows\System32\Wbem\WMIC.exe" /node:192.168.1.2 /user:[email protected] /password:1qaz!QAZ computersystem get