CODEWITHSUNDEEP
securitypowershellevent-log
Dpitt1968
Dpitt1968

Reputation: 109

Powershell - Query event 4688 for command line text

Regarding powershell and Event4688 where it's now possible to log text entered into a windows command line.

Is there a way to use the powershell Get-WinEvent -FilterHashTable to show me what was entered in 'Process Command Line" of the event logs? This would be the actual text someone entered into the command line.

Upvotes: 0

Views: 3456

Answers (1)

Frode F.
Frode F.

Reputation: 54871

You can access the properties in an eventmessage using Properties, but you need to use a sample event so you can compare the message and the Properties-array to find out which index is the right field. I think it is the 9th (index 8), but you should verify.

List properties (values in message):

(Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688
} -MaxEvents 1).Properties

Value                          
-----                          
S-1-5-18                       
-                              
-                              
999                            
920                            
C:\Windows\System32\lsass.exe  
%%1936                         
784                            
           #I believe this is CommandLine                       
S-1-0-0                        
-                              
-                              
0                              
C:\Windows\System32\wininit.exe
S-1-16-16384

Using Select-Object, you can create your own object to extract ex. the TimeCreated and the CommandLine (using custom/calculated properties):

Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688
} | Select-Object TimeCreated,@{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={ $_.Properties[8].Value }}

#I didn't have any values in my events

TimeCreated         NewProcessName                   CommandLine
-----------         --------------                   -----------
09.04.2016 00:56:04 C:\Windows\System32\lsass.exe               
09.04.2016 00:56:04 C:\Windows\System32\services.exe            
09.04.2016 00:56:04 C:\Windows\System32\winlogon.exe            
09.04.2016 00:56:04 C:\Windows\System32\wininit.exe             
09.04.2016 00:56:04 C:\Windows\System32\csrss.exe

You could also use XML to access the properties, but this would be more useful if you were listing different eventids (were the order in the properties-array would be different). Ex:

Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688
} | Select-Object TimeCreated, @{name='CommandLine';expression={ (([xml]$_.ToXml()).Event.EventData.Data | Where-Object { $_.Name -eq 'CommandLine' })."#text" }}

Upvotes: 3

Related Questions