├── .gitignore ├── EventLogParser.sln ├── EventLogParser ├── EventLogHelpers.cs ├── EventLogParser.csproj ├── Program.cs └── Properties │ └── AssemblyInfo.cs └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # MSTest test Results 33 | [Tt]est[Rr]esult*/ 34 | [Bb]uild[Ll]og.* 35 | 36 | # NUNIT 37 | *.VisualState.xml 38 | TestResult.xml 39 | 40 | # Build Results of an ATL Project 41 | [Dd]ebugPS/ 42 | [Rr]eleasePS/ 43 | dlldata.c 44 | 45 | # .NET Core 46 | project.lock.json 47 | project.fragment.lock.json 48 | artifacts/ 49 | **/Properties/launchSettings.json 50 | 51 | *_i.c 52 | *_p.c 53 | *_i.h 54 | *.ilk 55 | *.meta 56 | *.obj 57 | *.pch 58 | *.pdb 59 | *.pgc 60 | *.pgd 61 | *.rsp 62 | *.sbr 63 | *.tlb 64 | *.tli 65 | *.tlh 66 | *.tmp 67 | *.tmp_proj 68 | *.log 69 | *.vspscc 70 | *.vssscc 71 | .builds 72 | *.pidb 73 | *.svclog 74 | *.scc 75 | 76 | # Chutzpah Test files 77 | _Chutzpah* 78 | 79 | # Visual C++ cache files 80 | ipch/ 81 | *.aps 82 | *.ncb 83 | *.opendb 84 | *.opensdf 85 | *.sdf 86 | *.cachefile 87 | *.VC.db 88 | *.VC.VC.opendb 89 | 90 | # Visual Studio profiler 91 | *.psess 92 | *.vsp 93 | *.vspx 94 | *.sap 95 | 96 | # TFS 2012 Local Workspace 97 | $tf/ 98 | 99 | # Guidance Automation Toolkit 100 | *.gpState 101 | 102 | # ReSharper is a .NET coding add-in 103 | _ReSharper*/ 104 | *.[Rr]e[Ss]harper 105 | *.DotSettings.user 106 | 107 | # JustCode is a .NET coding add-in 108 | .JustCode 109 | 110 | # TeamCity is a build add-in 111 | _TeamCity* 112 | 113 | # DotCover is a Code Coverage Tool 114 | *.dotCover 115 | 116 | # Visual Studio code coverage results 117 | *.coverage 118 | *.coveragexml 119 | 120 | # NCrunch 121 | _NCrunch_* 122 | .*crunch*.local.xml 123 | nCrunchTemp_* 124 | 125 | # MightyMoose 126 | *.mm.* 127 | AutoTest.Net/ 128 | 129 | # Web workbench (sass) 130 | .sass-cache/ 131 | 132 | # Installshield output folder 133 | [Ee]xpress/ 134 | 135 | # DocProject is a documentation generator add-in 136 | DocProject/buildhelp/ 137 | DocProject/Help/*.HxT 138 | DocProject/Help/*.HxC 139 | DocProject/Help/*.hhc 140 | DocProject/Help/*.hhk 141 | DocProject/Help/*.hhp 142 | DocProject/Help/Html2 143 | DocProject/Help/html 144 | 145 | # Click-Once directory 146 | publish/ 147 | 148 | # Publish Web Output 149 | *.[Pp]ublish.xml 150 | *.azurePubxml 151 | # TODO: Comment the next line if you want to checkin your web deploy settings 152 | # but database connection strings (with potential passwords) will be unencrypted 153 | *.pubxml 154 | *.publishproj 155 | 156 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 157 | # checkin your Azure Web App publish settings, but sensitive information contained 158 | # in these scripts will be unencrypted 159 | PublishScripts/ 160 | 161 | # NuGet Packages 162 | *.nupkg 163 | # The packages folder can be ignored because of Package Restore 164 | **/packages/* 165 | # except build/, which is used as an MSBuild target. 166 | !**/packages/build/ 167 | # Uncomment if necessary however generally it will be regenerated when needed 168 | #!**/packages/repositories.config 169 | # NuGet v3's project.json files produces more ignoreable files 170 | *.nuget.props 171 | *.nuget.targets 172 | 173 | # Microsoft Azure Build Output 174 | csx/ 175 | *.build.csdef 176 | 177 | # Microsoft Azure Emulator 178 | ecf/ 179 | rcf/ 180 | 181 | # Windows Store app package directories and files 182 | AppPackages/ 183 | BundleArtifacts/ 184 | Package.StoreAssociation.xml 185 | _pkginfo.txt 186 | 187 | # Visual Studio cache files 188 | # files ending in .cache can be ignored 189 | *.[Cc]ache 190 | # but keep track of directories ending in .cache 191 | !*.[Cc]ache/ 192 | 193 | # Others 194 | ClientBin/ 195 | ~$* 196 | *~ 197 | *.dbmdl 198 | *.dbproj.schemaview 199 | *.jfm 200 | *.pfx 201 | *.publishsettings 202 | node_modules/ 203 | orleans.codegen.cs 204 | 205 | # Since there are multiple workflows, uncomment next line to ignore bower_components 206 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 207 | #bower_components/ 208 | 209 | # RIA/Silverlight projects 210 | Generated_Code/ 211 | 212 | # Backup & report files from converting an old project file 213 | # to a newer Visual Studio version. Backup files are not needed, 214 | # because we have git ;-) 215 | _UpgradeReport_Files/ 216 | Backup*/ 217 | UpgradeLog*.XML 218 | UpgradeLog*.htm 219 | 220 | # SQL Server files 221 | *.mdf 222 | *.ldf 223 | 224 | # Business Intelligence projects 225 | *.rdl.data 226 | *.bim.layout 227 | *.bim_*.settings 228 | 229 | # Microsoft Fakes 230 | FakesAssemblies/ 231 | 232 | # GhostDoc plugin setting file 233 | *.GhostDoc.xml 234 | 235 | # Node.js Tools for Visual Studio 236 | .ntvs_analysis.dat 237 | 238 | # Visual Studio 6 build log 239 | *.plg 240 | 241 | # Visual Studio 6 workspace options file 242 | *.opt 243 | 244 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 245 | *.vbw 246 | 247 | # Visual Studio LightSwitch build output 248 | **/*.HTMLClient/GeneratedArtifacts 249 | **/*.DesktopClient/GeneratedArtifacts 250 | **/*.DesktopClient/ModelManifest.xml 251 | **/*.Server/GeneratedArtifacts 252 | **/*.Server/ModelManifest.xml 253 | _Pvt_Extensions 254 | 255 | # Paket dependency manager 256 | .paket/paket.exe 257 | paket-files/ 258 | 259 | # FAKE - F# Make 260 | .fake/ 261 | 262 | # JetBrains Rider 263 | .idea/ 264 | *.sln.iml 265 | 266 | # CodeRush 267 | .cr/ 268 | 269 | # Python Tools for Visual Studio (PTVS) 270 | __pycache__/ 271 | *.pyc 272 | 273 | # Cake - Uncomment if you are using it 274 | # tools/ -------------------------------------------------------------------------------- /EventLogParser.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28010.2026 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "EventLogParser", "EventLogParser\EventLogParser.csproj", "{68C2D365-1ABA-4727-96AF-2ED5EFED4837}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {68C2D365-1ABA-4727-96AF-2ED5EFED4837}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {68C2D365-1ABA-4727-96AF-2ED5EFED4837}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {68C2D365-1ABA-4727-96AF-2ED5EFED4837}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {68C2D365-1ABA-4727-96AF-2ED5EFED4837}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {1F0F0002-865B-4004-BD73-7F54CFA3385E} 24 | EndGlobalSection 25 | EndGlobal 26 | -------------------------------------------------------------------------------- /EventLogParser/EventLogHelpers.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Diagnostics.Eventing.Reader; 6 | using System.Text.RegularExpressions; 7 | using System.Security.AccessControl; 8 | using System.Security.Principal; 9 | using System.IO; 10 | 11 | namespace EventLogParser 12 | { 13 | public class EventLogHelpers 14 | { 15 | 16 | #region Static Variable Definitions 17 | 18 | static string[] powershellLogs = { "Microsoft-Windows-PowerShell/Operational", "Windows PowerShell" }; 19 | public static Dictionary supportedEventIds = new Dictionary() 20 | { 21 | { "4104", new Action(Parse4104Events) }, 22 | { "4103", new Action(Parse4103Events) }, 23 | { "4688", new Action(Parse4688Events) }, 24 | }; 25 | 26 | #endregion 27 | 28 | #region Regex Definitions 29 | 30 | static Regex[] powershellRegex = 31 | { 32 | new Regex(@"(New-Object.*System.Management.Automation.PSCredential.*)", RegexOptions.IgnoreCase & RegexOptions.Multiline), 33 | new Regex(@"(net(.exe)? user.*)", RegexOptions.IgnoreCase & RegexOptions.Multiline), 34 | new Regex(@"(ConvertTo-SecureString.*AsPlainText.*)", RegexOptions.IgnoreCase & RegexOptions.Multiline), 35 | new Regex(@"(cmdkey(.exe)?.*/pass:.*)", RegexOptions.IgnoreCase & RegexOptions.Multiline), 36 | new Regex(@"(ssh(.exe)?.*-i .*)", RegexOptions.IgnoreCase & RegexOptions.Multiline) 37 | }; 38 | 39 | static Regex[] processCmdLineRegex = 40 | { 41 | new Regex(@"(net(.exe)? user.*)", RegexOptions.IgnoreCase), 42 | new Regex(@"(cmdkey(.exe)?.*/pass:.*)", RegexOptions.IgnoreCase), 43 | new Regex(@"(ssh(.exe)?.*-i .*)", RegexOptions.IgnoreCase) 44 | }; 45 | #endregion 46 | 47 | #region Helper Functions 48 | 49 | static EventLogQuery GetEventLog(string logName, int eventId, PathType pathType=PathType.LogName) 50 | { 51 | string query = String.Format("*[System/EventID={0}]", eventId); 52 | EventLogQuery eventLogQuery = new EventLogQuery(logName, pathType, query); 53 | eventLogQuery.ReverseDirection = true; 54 | return eventLogQuery; 55 | } 56 | 57 | public static bool IsHighIntegrity() 58 | { 59 | // returns true if the current process is running with adminstrative privs in a high integrity context 60 | WindowsIdentity identity = WindowsIdentity.GetCurrent(); 61 | WindowsPrincipal principal = new WindowsPrincipal(identity); 62 | return principal.IsInRole(WindowsBuiltInRole.Administrator); 63 | } 64 | 65 | #endregion 66 | 67 | #region Event Log Parsing Functions 68 | 69 | public static void Parse4104Events(string outFile = "", string context = "") 70 | { 71 | if (context != "") 72 | { 73 | int result = 0; 74 | int.TryParse(context, out result); 75 | if (result == 0) 76 | { 77 | Console.WriteLine("[X] Error: Could not parse context given: {0}", context); 78 | Console.WriteLine("[X] Exiting."); 79 | Environment.Exit(1); 80 | } 81 | Parse4104Events(outFile, int.Parse(context)); 82 | } 83 | Parse4104Events(outFile, int.Parse(context)); 84 | } 85 | 86 | public static void Parse4104Events(string outFile = "", int context = 3) 87 | { 88 | // Properties[2] contains the scriptblock 89 | int eventId = 4104; 90 | Console.WriteLine("[*] Parsing PowerShell {0} event logs...", eventId); 91 | System.IO.StreamWriter streamWriter = null; 92 | if (outFile != "") 93 | { 94 | try 95 | { 96 | streamWriter = new System.IO.StreamWriter(outFile); 97 | } 98 | catch (Exception ex) 99 | { 100 | Console.WriteLine("[X] Error: Could not open {0} for writing.", outFile); 101 | Console.WriteLine("[X] Reason: {0}", ex.Message); 102 | } 103 | } 104 | foreach (string logName in powershellLogs) 105 | { 106 | EventLogQuery eventLogQuery = GetEventLog(logName, eventId); 107 | EventLogReader logReader = new EventLogReader(eventLogQuery); 108 | for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent()) 109 | { 110 | string scriptBlock = eventdetail.Properties[2].Value.ToString(); 111 | foreach (Regex reg in powershellRegex) 112 | { 113 | Match m = reg.Match(scriptBlock); 114 | if (m.Success) 115 | { 116 | Console.WriteLine(); 117 | Console.WriteLine("[+] Regex Match: {0}", m.Value); 118 | if (streamWriter != null) 119 | { 120 | streamWriter.WriteLine(scriptBlock); 121 | } 122 | string[] scriptBlockParts = scriptBlock.Split('\n'); 123 | for (int i = 0; i < scriptBlockParts.Length; i++) 124 | { 125 | if (scriptBlockParts[i].Contains(m.Value)) 126 | { 127 | Console.WriteLine("[+] Regex Context:"); 128 | int printed = 0; 129 | for (int j = 1; i - j > 0 && printed < context; j++) 130 | { 131 | if (scriptBlockParts[i - j].Trim() != "") 132 | { 133 | Console.WriteLine("\t{0}", scriptBlockParts[i - j].Trim()); 134 | printed++; 135 | } 136 | } 137 | printed = 0; 138 | Console.WriteLine("\t{0}", m.Value.Trim()); 139 | for (int j = 1; printed < context && i + j < scriptBlockParts.Length; j++) 140 | { 141 | if (scriptBlockParts[i + j].Trim() != "") 142 | { 143 | Console.WriteLine("\t{0}", scriptBlockParts[i + j].Trim()); 144 | printed++; 145 | } 146 | } 147 | } 148 | } 149 | } 150 | } 151 | } 152 | } 153 | 154 | // Cleanup 155 | if (streamWriter != null) 156 | { 157 | streamWriter.Close(); 158 | Console.WriteLine("[*] Wrote all script blocks to {0}", outFile); 159 | } 160 | } 161 | 162 | public static void Parse4103Events() 163 | { 164 | int eventId = 4103; 165 | char[] separator = { '=' }; 166 | Dictionary> results = new Dictionary>(); 167 | Console.WriteLine("[*] Parsing PowerShell {0} event logs...", eventId); 168 | foreach (string logName in powershellLogs) 169 | { 170 | EventLogQuery eventLogQuery = GetEventLog(logName, eventId); 171 | EventLogReader logReader = new EventLogReader(eventLogQuery); 172 | for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent()) 173 | { 174 | string[] eventAttributeLines = eventdetail.Properties[0].Value.ToString().Split('\n'); 175 | string username = ""; 176 | string scriptName = ""; 177 | foreach (string attr in eventAttributeLines) 178 | { 179 | if (attr.Contains("Script Name =")) 180 | { 181 | scriptName = attr.Split(separator, 2)[1].Trim(); 182 | } 183 | else if (attr.Contains("User =") && !attr.Contains("Connected User =")) 184 | { 185 | username = attr.Split(separator, 2)[1].Trim(); 186 | } 187 | if (username != "" && scriptName != "") 188 | { 189 | break; 190 | } 191 | } 192 | if (!results.ContainsKey(username)) 193 | { 194 | results[username] = new HashSet(); 195 | } 196 | results[username].Add(scriptName); 197 | } 198 | } 199 | foreach (string username in results.Keys) 200 | { 201 | if (results[username].Count > 0) 202 | { 203 | Console.WriteLine("[+] {0} loaded modules:", username); 204 | foreach (string script in results[username]) 205 | { 206 | Console.WriteLine("\t{0}", script); 207 | } 208 | } 209 | } 210 | } 211 | 212 | public static void Parse4688Events() 213 | { 214 | if (!IsHighIntegrity()) 215 | { 216 | Console.WriteLine("[X] Error: To parse 4688 Event Logs, you need to be in high integrity."); 217 | Console.WriteLine("[X] Exiting."); 218 | Environment.Exit(1); 219 | } 220 | int eventId = 4688; 221 | Console.WriteLine("[*] Parsing {0} Process Creation event logs...", eventId); 222 | string logName = "Security"; 223 | HashSet results = new HashSet(); 224 | EventLogQuery eventLogQuery = GetEventLog(logName, eventId); 225 | EventLogReader logReader = new EventLogReader(eventLogQuery); 226 | for (EventRecord eventdetail = logReader.ReadEvent(); eventdetail != null; eventdetail = logReader.ReadEvent()) 227 | { 228 | // Properties[8] 229 | string commandLine = eventdetail.Properties[8].Value.ToString().Trim(); 230 | if (commandLine != "") 231 | { 232 | Console.WriteLine(commandLine); 233 | foreach (Regex reg in processCmdLineRegex) 234 | { 235 | Match m = reg.Match(commandLine); 236 | if (m.Success) 237 | { 238 | results.Add(commandLine); 239 | } 240 | } 241 | } 242 | } 243 | 244 | foreach(string cmd in results) 245 | { 246 | Console.WriteLine("[+] {0}", cmd); 247 | } 248 | } 249 | 250 | #endregion 251 | } 252 | } 253 | -------------------------------------------------------------------------------- /EventLogParser/EventLogParser.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {68C2D365-1ABA-4727-96AF-2ED5EFED4837} 8 | Exe 9 | EventLogParser 10 | EventLogParser 11 | v3.5 12 | 512 13 | true 14 | 15 | 16 | AnyCPU 17 | true 18 | full 19 | false 20 | bin\Debug\ 21 | DEBUG;TRACE 22 | prompt 23 | 4 24 | 25 | 26 | AnyCPU 27 | pdbonly 28 | true 29 | bin\Release\ 30 | TRACE 31 | prompt 32 | 4 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /EventLogParser/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Diagnostics.Eventing.Reader; 6 | using EventLogParser; 7 | 8 | namespace EventLogParser 9 | { 10 | class Program 11 | { 12 | 13 | static void Usage() 14 | { 15 | string usageString = @" 16 | Usage 17 | ===== 18 | 19 | EventLogParser.exe eventid=EVENTID [outfile=C:\Windows\Temp\loggedfiles.txt] 20 | 21 | Description: 22 | 23 | EventLogParser will parse event IDs 4103, 4104 and 4688 to search for sensitive 24 | information, including: 25 | - RDP Credentials 26 | - net user commands 27 | - Plaintext secure-strings 28 | - PSCredential objects 29 | - SSH commands using keys 30 | - Imported powershell modules. 31 | 32 | Arguments: 33 | 34 | Required: 35 | 36 | eventid - Must be one of: 37 | 4103 - Script Block Logging 38 | 4104 - PowerShell module logging 39 | 4688 - Process Creation logging. 40 | Note: Must be high integrity and have 41 | command line logging enabled. 42 | 43 | Optional: 44 | 45 | context - Number of lines surrounding the ""interesting"" regex matches. 46 | Only applies to 4104 events. Default is 3. 47 | 48 | outfile - Path to the file you wish to write all matching script block logs 49 | to. This only applies to event ID 4104. 50 | 51 | Example: 52 | 53 | .\EventLogParser.exe eventid=4104 outfile=C:\Windows\Temp\scripts.txt context=5 54 | 55 | Writes all 4104 events with ""sensitive"" information to C:\Windows\Temp\scripts.txt 56 | and prints 5 lines before and after the matching line. 57 | 58 | .\EventLogParser.exe eventid=4103 59 | 60 | List all modules path on disk that have been loaded by each user. 61 | "; 62 | Console.WriteLine(usageString); 63 | Environment.Exit(1); 64 | } 65 | 66 | static Dictionary ArgumentParser(string[] args) 67 | { 68 | Dictionary results = new Dictionary(); 69 | results["context"] = "3"; 70 | results["outfile"] = ""; 71 | char[] sep = { '=' }; 72 | foreach (string arg in args) 73 | { 74 | if (arg.Contains("=")) 75 | { 76 | string[] parts = arg.Split(sep, 2); 77 | if (parts.Length == 2) 78 | { 79 | results[parts[0].Trim().ToLower()] = parts[1].Trim(); 80 | } 81 | else 82 | { 83 | Console.WriteLine("[-] Invalid argument passed. Skipping {0}.", arg); 84 | } 85 | } 86 | else 87 | { 88 | Console.WriteLine("[-] Invalid argument passed. Skipping {0}.", arg); 89 | } 90 | } 91 | if (!results.ContainsKey("eventid")) 92 | { 93 | Console.WriteLine("[X] No eventid passed."); 94 | Usage(); 95 | } 96 | if (!EventLogHelpers.supportedEventIds.ContainsKey(results["eventid"])) 97 | { 98 | Console.WriteLine("[X] Invalid eventid passed. You gave: {0}", results["eventid"]); 99 | Usage(); 100 | } 101 | return results; 102 | } 103 | 104 | static void Main(string[] args) 105 | { 106 | Dictionary arguments = ArgumentParser(args); 107 | string eventid = arguments["eventid"]; 108 | if (eventid == "4104") 109 | { 110 | EventLogHelpers.supportedEventIds[eventid].DynamicInvoke(arguments["outfile"], arguments["context"]); 111 | } 112 | else 113 | { 114 | EventLogHelpers.supportedEventIds[eventid].DynamicInvoke(); 115 | } 116 | Console.WriteLine("[*] Finished parsing {0} logs.", eventid); 117 | } 118 | } 119 | } 120 | -------------------------------------------------------------------------------- /EventLogParser/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("EventLogParser")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("EventLogParser")] 13 | [assembly: AssemblyCopyright("Copyright © 2019")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("68c2d365-1aba-4727-96af-2ed5efed4837")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # EventLogParser 2 | 3 | ``` 4 | Usage 5 | ===== 6 | 7 | EventLogParser.exe eventid=EVENTID [outfile=C:\Windows\Temp\loggedfiles.txt] 8 | 9 | Description: 10 | 11 | EventLogParser will parse event IDs 4103, 4104 and 4688 to search for sensitive 12 | information, including: 13 | - RDP Credentials 14 | - net user commands 15 | - Plaintext secure-strings 16 | - PSCredential objects 17 | - SSH commands using keys 18 | - Imported powershell modules. 19 | 20 | Arguments: 21 | 22 | Required: 23 | 24 | eventid - Must be one of: 25 | 4103 - Script Block Logging 26 | 4104 - PowerShell module logging 27 | 4688 - Process Creation logging. 28 | Note: Must be high integrity and have 29 | command line logging enabled. 30 | 31 | Optional: 32 | 33 | context - Number of lines surrounding the ""interesting"" regex matches. 34 | Only applies to 4104 events. Default is 3. 35 | 36 | outfile - Path to the file you wish to write all matching script block logs 37 | to. This only applies to event ID 4104. 38 | 39 | Example: 40 | 41 | .\EventLogParser.exe eventid=4104 outfile=C:\Windows\Temp\scripts.txt context=5 42 | 43 | Writes all 4104 events with ""sensitive"" information to C:\Windows\Temp\scripts.txt 44 | and prints 5 lines before and after the matching line. 45 | 46 | .\EventLogParser.exe eventid=4103 47 | 48 | List all modules path on disk that have been loaded by each user. 49 | ``` 50 | 51 | ## Examples 52 | 53 | ``` 54 | .\EventLogParser.exe eventid=4104 55 | [*] Parsing PowerShell 4104 event logs... 56 | 57 | [+] Regex Match: net user $NewOsUser $NewOsPass /add & net localgroup administrators /add $NewOsUser'';" 58 | [+] Regex Context: 59 | # Create query 60 | }else{ 61 | Break 62 | Write-Verbose "$Instance : The service account does not have local administrator privileges so no OS admin can be created. Aborted." 63 | net user $NewOsUser $NewOsPass /add & net localgroup administrators /add $NewOsUser'';" 64 | # Status user 65 | Write-Verbose "$Instance : Payload generated." 66 | } 67 | }else{ 68 | 69 | [+] Regex Match: New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($Username, $secpass) 70 | [+] Regex Context: 71 | $secpass = ConvertTo-SecureString $Password -AsPlainText -Force 72 | { 73 | if($Username -and $Password) 74 | # Create PS Credential object 75 | New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($Username, $secpass) 76 | } 77 | # Create Create the connection to LDAP 78 | if ($DomainController) 79 | { 80 | 81 | [+] Regex Match: ConvertTo-SecureString $Password -AsPlainText -Force 82 | [+] Regex Context: 83 | { 84 | if($Username -and $Password) 85 | # Create PS Credential object 86 | { 87 | ConvertTo-SecureString $Password -AsPlainText -Force 88 | $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($Username, $secpass) 89 | } 90 | # Create Create the connection to LDAP 91 | if ($DomainController) 92 | ``` 93 | --------------------------------------------------------------------------------