Searching Logs & Event Viewer

Searching for sensitive log files & Events can be lead to valuable information about a system and may lead to escalating privileges.

PowerShell Script Block Logging

Two important logging mechanisms for PowerShell are:

  • PowerShell Transcription

  • PowerShell Script Block Logging.

Get-WinEvent

Get-WinEvent Microsoft-Windows-PowerShell/Operational | Where-Object Id -eq 4104 | Out-GridView
Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview

req query

reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Event Viewer

If we have access to RDP we can use the Event Viewer GUI to search for logs and event files.

PreviousSearching For Sensitive FilesNextEscalating Privilege

Last updated