hunting

et-eventlog -log security | where-object {$_.TimeGenerated -gt (get-date).adddays(-5) -AND $_.EntryType -eq 'SuccessAudit' –AND  (($_.EventID -eq "5145" -AND $_.Message -match "\\\\\*\\ADMIN\$|\\\\\*\\C\$|\\\\\*\\IPC\$"  -AND $_.Message -match "\%\%4417") -OR ($_.EventID -eq "4674" -AND $_.Message -match "SeTakeOwnershipPrivilege|SeDebugPrivilege|SeTcbPrivilege") -OR ($_.EventID -eq "4688"  -AND $_.

Powershell: Forensic One-linersldap389

Use PowerShell to Perform Offline Analysis of Security Logs - Scripting BlogScripting Blog

PreviousLateral Movement NextRecycle Bin

Last updated 1 year ago