Description
Looks for credentials accidentally stored in Windows Event Logs such as 4688 on local or remote systems.
Overview
This script parses through event logs looking for passwords stored in events. An example is 4688 process creation event logs that can be configured to store commandline arguments for all process execution events. The “Commandline” field can contain passwords when administrators use tools such as PsExec.exe, WMIC.exe, and net.exe. For example, the following command shows how schtasks.exe can be used with an explicit username and password:
schtasks.exe /CREATE /S 192.168.1.103 /RU SYSTEM /U administrator@lab.net /P "1qaz!QAZ" /SC ONCE /ST 23:59 /TN Test /TR hostname /F
Parameters
- ComputerName: System to search through logs.
- Username: The username to authenticate with.
- Password: The password to authenticate with.
Dependencies
- EventLog
Pre-Requisites
- Administrator access or credentials.
Example Output
Username Password EventTimestamp Computer Commandline
-------- -------- -------------- -------- -----------
administrator@lab.net 1qaz!QAZ 8/16/2024 4:02:14 PM WKST-001.lab.net "C:\Windows\System32\Wbem\WMIC.exe" /node:192.168.1.2 /user:administrator@lab.net /password:1qaz!QAZ computersystem get
administrator@lab.net 1qaz!QAZ 8/16/2024 4:03:24 PM WKST-001.lab.net "C:\Windows\system32\schtasks.exe" /CREATE /S 192.168.1.103 /RU SYSTEM /U administrator@lab.net /P 1qaz!QAZ /SC ONCE /ST 23:59 /TN Test /TR hostname /F
administrator@lab.net 1qaz!QAZ 8/22/2024 3:59:51 PM WKST-001.lab.net "C:\Windows\System32\Wbem\WMIC.exe" /node:192.168.1.2 /user:administrator@lab.net /password:1qaz!QAZ computersystem get