11 - Event Log Readers Group

# Intro - Admins or members of the [Event Log Readers](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn579255$v=ws.11$?redirectedfrom=MSDN#event-log-readers) group have permission to access the he Windows security event log - If [auditing of process creation](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation) events and corresponding command line values is enabled, this info is saved to the Windows security event log as event ID [4688: A new process has been created](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4688) - For example, orgs enable logging of process command lines to help defenders monitor and identify possibly malicious behavior and identify binaries that should not be present on a system - This data can be shipped to a SIEM tool - This [study](https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html) shows some of the most run commands by attackers: - after initial access - `tasklist`, `ver`, `ipconfig`, `systeminfo` - for recon - `dir`, `net view`, `ping`, `net use`, `type` - for spreading malware within a network - `at`, `reg`, `wmic`, `wusa` - Aside from monitoring for these commands being run, an enterprise could take things a step further and restrict the execution of specific commands using fine-tuned AppLocker rules # Confirm Group Membership ```cmd net localgroup "Event Log Readers" ``` # Searching Security Logs - We can query Windows events from the command line using the [wevtutil](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil) utility and the [Get-WinEvent](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.1) PowerShell cmdlet ## `wevutil` ```powershell wevtutil qe Security /rd:true /f:text | Select-String "/user" ``` - We can also pass creds to `wevutil` with the `/u` and `/p` parameters ```cmd wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user" ``` ## `Get-WinEvent` - Note: Searching the `Security` event log with `Get-WInEvent` as below requires admin access or perms adjusted on the registry key `HKLM\System\CurrentControlSet\Services\Eventlog\Security` - Membership in just the `Event Log Readers` group is not sufficient ```powershell Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }} ``` --- # Exercise - `ping` test ![[images/Pasted image 20260219192728.png]] - `nmap` scan ![[images/Pasted image 20260219192743.png]] - `rdp` into target with given creds - light internal enum ![[images/Pasted image 20260219192937.png]] - Note: user `logger` is in the `Event Log Readers` group - upgrade to a powershell session and user `wevutil` ![[images/Pasted image 20260219193039.png]]