Cardboard Iguana Security

journals

spells

Abusing wildcard expansion in Bash

Access the Windows Registry using PowerShell

Add Windows users at the command line

Aircrack-NG

ARP scanning

ARP

AS-REP roasting with Impacket

AS-REP roasting With Rubeus

AS-REP roasting

Automate Netlify builds with IFTTT

Automatically stabilize a reverse shell with socat

Avoid dropping privileges with SUID Bash

awk

Backdoor Visual Basic Scripts

basenc

Bash reverse shell

Bash scripting

Bulk edit Windows permissions

Burp Suite

Bypass the PowerShell execution policy

Bypass Windows antivirus with C Sharp

Calculate a file hash on Windows with CertUtil

Call Mimikatz from a meterpreter shell

cat

cewl

Change a branch name in Git

Change an RSA key passphrase with OpenSSL

Cisco IOS

Common Windows user types

Compact VM disk images

Confirm the existence of a Gmail address

crackmapexec

Create a GPG key with SSH support

Create a zip bomb

CUPP

Day One to Obsidian conversion script

DCERPC

Debugging Bash scripts

Easy reverse DNS lookups

enum4linux

Enumerate AD CS templates with CertUtil

Equivalent Windows and UNIX commands

Evil-WinRM

Exploit LD_LIBRARY_PATH

Exploit LD_PRELOAD

Exploit local Windows services

Exploit local Windows tasks

Exploit remote Windows services

Exploit remote Windows tasks

Exploit the Bash PS4 prompt

Exploit the Windows DLL search order

Exploit the Windows FoDHelper

Exploit the WinLogon initialization sequence

Exploit VBA scripts with msfvenom

Exploit weak etc-passwd permissions

Exploit weak etc-shadow permissions

Exploit Windows file associations

Exploit Windows HTML applications with msfvenom

Exploit Windows services

Exploit Windows shortcut files

Exploit Windows tasks

Export highlights and annotations from Kobo eReaders

Extract the webpage title from a URL

ffmpeg

Find and replace a single line in a large text file

Find executables with SUID capabilities

find

findstr

finger

Fix EXIF data on Google Photos exports

Gemini compatible markdown

Get a shell from ViM

Get an SSL certificate

Golden and silver ticket attacks

IIS configuration data

Kerberoasting with Impacket

Kerberoasting with Rubeus

Load a shell with a simple executable

Local file inclusion attacks

Look up unicode symbols and emojis

MAC address

Magic numbers

man

Match files to packages in Debian-based operating systems

Match files to packages in Red Hat-based operating systems

Metasploit MS SQL modules

meterpreter

Mimikatz

MITRE ATTaCK emulation plans

PHP local file inclusion attacks

PHP

ping

Poison null byte attack

Poison null byte in PHP

Polkit

Pop a SYSTEM shell on the Windows login screen using sticky keys

Pop a SYSTEM shell on the Windows login screen using Utilman

POP3

Port scanning with Bash

POSIX process signals

Powercat

PowerShell reverse shell

PowerView

Pull SSL certificates from an external server

Python

Quick-n-dirty Python web server

Quickly bypass ssh-agent

Quickly find the canonical path of a file

RCE via XXE in PHP

Read a file beginning with a dash

reg

RegEx metacharacters

Remotely install a Windows package with PowerShell

Remove duplicate lines in Bash

Retrieve AIX fileset information

Retrieve AIX system information

Rubeus

Ruby

Run a remote Windows command using PowerShell

Run commands directly with PowerShell

RunAs

Send a command using OpenSSL

Set the PATH in a session on UNIX-like operating systems

Set the PATH in a session on Windows

Set up WMI in PowerShell

SQL injection attacks

Transfer files over FTP using netcat

UDP

unbuffer

Uniform resource locators

UNIX file descriptors

UNIX password hashes

UNIX permissions

Unquoted path handling in Windows

Upgrade PostgreSQL

Use a Raspberry Pi 4B as hacking accessory

Use an alternate SSH key with Git

Use Bash functions to backdoor executables

Use Burp Suite with Firefox

Use Burp Suite with mobile apps

Use curl and jq with web APIs

Use OpenSSL to encrypt and decrypt files

Use the Windows Firewall to relay ports

Use unsupported display resolutions with Samsung DeX

Use WinRM with PowerShell

Useful built-in commands for Linux reconnaissance

Useful built-in commands for Windows reconnaissance

Useful Linux reconnaissance scripts

Useful scripts for Windows reconnaissance

ViM

Visual Basic for Applications

wfuzz

whoami

Wi-Fi

Windows DLL search order

Windows event IDs

Windows event logs

Windows local service accounts

Windows logon scripts

Windows permissions

Windows reconnaissance with PowerShell

Windows Remote Management

Windows Run and RunOnce Registry keys

Windows Scripting Host

Windows SeBackup and SeRestore permissions

Windows SeImpersonate and SeAssignPrimaryToken permissions

Windows service ACLs

Windows services

Windows SeTakeOwnership permission

Windows Startup folder

Windows unattended installation data

winrs

Wireshark

wmic

Work with base64 encoding using PowerShell

Work with remote services using WMI and PowerShell

Work with remote tasks using WMI and PowerShell

Working with services in PowerShell

Cardboard Iguana Security

permalink: spells/get-winevent
tags:
  - OS/Windows/EventLog
  - Application/PowerShell
  - AttackCycle/Reconnaissance

Get-WinEvent

Get-WinEvent is a PowerShell command for working with Windows event logs.

# Get help on Get-WinEvent (calls out to Microsoft).
#
Get-Help Get-WinEvent

# Filter event log output using the Where-Object command. This
# apparently pipes the entire output to the Where-Object
# command, which then scans for the appropriate field. So a
# bit inefficient for large logs.
#
Get-WinEvent -LogName Application | Where-Object {
	$_.ProviderName -Match 'WLMS'
}

# To match event IDs with Where-Object, use the slightly
# different form `Where-Object Id -eq 100`, etc.

# Use the -FilterHashtable flag. This causes the filtering to
# be done during the call made by Get-WinEvent, and has a more
# straight-forward syntax too. However, it only works when
# called against the system event log; Where-Object needs to
# be used when specifying an archived log via -Path.
#
# Note that hashes can be specified with newlines instead of
# semicolons as well, which can make scripts A LOT more
# readable!
#
Get-WinEvent -FilterHashtable @{
	LogName = 'Application';
	ProviderName = 'WLMS'
}

# To display all information about an event, pipe the output
# of Get-WinEvent to `Format-List -Property *`

FilterHashtable

There's lots of good information about the various FilterHashtable keys in Microsoft's documentation. Some important ones:

LogName (String)
ProviderName (String)
Path (String)
Keywords (Long)
ID (Int32)
Level (Int32)
StartTime (DateTime)
EndTime (DateTime)
UserID (SID)
Data (String)
[NamedData] (String)

Wildcards can be used with LogName and ProviderName, but not with other keys.

Event Viewer displays most of these values in the "General" when viewing an individual log entry, though note that Keywords is translated to a string.

Keywords

AuditFailure (4503599627370496)
AuditSuccess (9007199254740992)
CorrelationHint2 (18014398509481984)
EventLogClassic (36028797018963968)
Sqm (2251799813685248)
WdiDiagnostic (1125899906842624)
WdiContext (562949953421312)
ResponseTime (281474976710656)
None (0)

Levels

Verbose (5)
Informational (4)
Warning (3)
Error (2)
Critical (1)
LogAlways (0)

Event IDs

Windows event IDs

aliases:
  - Event IDs
  - Event ID
permalink: spells/windows-event-ids
tags:
  - OS/Windows/EventLog

Windows event IDs

104 - Event log was cleared
1102 - Audit log was cleared (517 on Windows 2003 and earlier)
4104 - PowerShell command and script logging
4626 - Successful logon
- LogonType 3 represents a (generic) network login
- LogonType 9 represents a logon where the outbound credentials are different than the credentials used to authenticate to the account that is initiating that login (only logged by the host initiating the connection, however)

It's hard to find documentation about event ID, and the meaning seems to shift between versions of Windows.

Get-WinEvent

Interactive graph

On this page

Get-WinEvent

FilterHashtable

Keywords

Levels

Event IDs