• Stars
    star
    117
  • Rank 301,828 (Top 6 %)
  • Language
    C#
  • Created over 5 years ago
  • Updated over 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Parse PowerShell and Security event logs for sensitive information.

EventLogParser

Usage
=====

EventLogParser.exe eventid=EVENTID [outfile=C:\Windows\Temp\loggedfiles.txt]

Description:

    EventLogParser will parse event IDs 4103, 4104 and 4688 to search for sensitive
    information, including:
        - RDP Credentials
        - net user commands
        - Plaintext secure-strings
        - PSCredential objects
        - SSH commands using keys
        - Imported powershell modules.

Arguments:

    Required:

        eventid - Must be one of:
                    4103 - Script Block Logging
                    4104 - PowerShell module logging
                    4688 - Process Creation logging.
                           Note: Must be high integrity and have
                                 command line logging enabled.

    Optional:

        context - Number of lines surrounding the ""interesting"" regex matches.
                  Only applies to 4104 events. Default is 3.

        outfile - Path to the file you wish to write all matching script block logs
                  to. This only applies to event ID 4104.

Example:

    .\EventLogParser.exe eventid=4104 outfile=C:\Windows\Temp\scripts.txt context=5

        Writes all 4104 events with ""sensitive"" information to C:\Windows\Temp\scripts.txt
        and prints 5 lines before and after the matching line.

    .\EventLogParser.exe eventid=4103

        List all modules path on disk that have been loaded by each user.

Examples

.\EventLogParser.exe eventid=4104
[*] Parsing PowerShell 4104 event logs...

[+] Regex Match: net user $NewOsUser $NewOsPass /add & net localgroup administrators /add $NewOsUser'';"
[+] Regex Context:
        # Create query
        }else{
        Break
        Write-Verbose "$Instance : The service account does not have local administrator privileges so no OS admin can be created.  Aborted."
        net user $NewOsUser $NewOsPass /add & net localgroup administrators /add $NewOsUser'';"
        # Status user
        Write-Verbose "$Instance : Payload generated."
        }
        }else{

[+] Regex Match: New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($Username, $secpass)
[+] Regex Context:
        $secpass = ConvertTo-SecureString $Password -AsPlainText -Force
        {
        if($Username -and $Password)
        # Create PS Credential object
        New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($Username, $secpass)
        }
        # Create Create the connection to LDAP
        if ($DomainController)
        {

[+] Regex Match: ConvertTo-SecureString $Password -AsPlainText -Force
[+] Regex Context:
        {
        if($Username -and $Password)
        # Create PS Credential object
        {
        ConvertTo-SecureString $Password -AsPlainText -Force
        $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList ($Username, $secpass)
        }
        # Create Create the connection to LDAP
        if ($DomainController)

More Repositories

1

SharpChromium

.NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins.
C#
590
star
2

SharpWeb

.NET 2.0 CLR project to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge.
C#
456
star
3

SharpShares

Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
C#
244
star
4

WireTap

.NET 4.0 Project to interact with video, audio and keyboard hardware.
C#
192
star
5

CSharpSetThreadContext

C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread
C#
119
star
6

SharpLogger

Keylogger written in C#
C#
115
star
7

SharpSearch

Search files for extensions as well as text within.
C#
114
star
8

cliProxy

Proxy Unix applications in the terminal
Go
113
star
9

1PasswordSuite

Utilities to extract secrets from 1Password
C
107
star
10

ScatterBrain

Suite of Shellcode Running Utilities
VBScript
105
star
11

.NET-Profiler-DLL-Hijack

Implementation of the .NET Profiler DLL hijack in C#
C#
97
star
12

ProcessReimaging

Process reimaging proof of concept code
C++
94
star
13

macos_shell_memory

Execute MachO binaries in memory using CGo
C
79
star
14

KittyLitter

Credential Dumper
C#
74
star
15

TSMSISrv_poc

C# POC code for the SessionEnv dll hijack by utilizing called functions of TSMSISrv.dll
C#
54
star
16

wlbsctrl_poc

C++ POC code for the wlbsctrl.dll hijack on IKEEXT
C
49
star
17

SharpSC

Simple .NET assembly to interact with services.
C#
35
star
18

HookDetector

Playing with PE's and Building Structures by Hand
C++
22
star
19

SharpScreenshot

Dead simple C# project to take a screenshot.
C#
17
star
20

CSharpCreateThreadExample

C# code to run PIC using CreateThread
C#
17
star
21

spfwalker

Tool to walk SPF records for relevant domain names and Whois information.
Go
16
star
22

librarian

Shared library loading application for Linux written in Go.
Go
16
star
23

SharpEdge

C# Implementation of Get-VaultCredential
C#
14
star
24

GitSecrets

Script to help enumerate and dig through Github and Github Enterprise installations.
Python
14
star
25

gosharedlib

Shared library example to be loaded by the github.com/djhohnstein/librarian application
Go
10
star
26

ghidorah

Golang Brute Force Tool
Go
9
star
27

portscanner

Golang portscanning tool
Go
5
star
28

essdp_fork

Fork of Evil SSDP from InitString. Adds base64 authentication, redirect urls and customizable realm options for internal phishing.
Python
4
star
29

polarbearrepo

C++
3
star
30

CPPWebClient

Web client to wrap GET and POST requests in C++
C++
3
star
31

PowerShell-Book-Labs

PowerShell labs from various books
PowerShell
2
star
32

DerbyCon2019

Code & Slides For DerbyCon 2019
C#
2
star
33

Vuln-Server-Exploits

Exploits for Vuln Server (http://www.thegreycorner.com/2010/12/introducing-vulnserver.html)
Python
1
star
34

all-MiniLM-L6-v2-tfjs

all-MiniLM-L6-v2-tfjs
1
star