I have a very specific question. I'm in the middle of an assignment for school and my team is stuck at a part where we need to recover a password from the Event Logs that was purposely placed in there. He said there should be logs that have the password included in them that were man-made but we have no idea where to look. We've looked through the 4688, 4723, 4724 event logs, as well as the rest of them even though they don't apply much to this situation, to see if maybe there is custom information that's placed that includes a password but we can't find anything. There are logs where we can see that users were made and changes were made to their accounts/passwords and then one user was disabled and deleted but is there a way to actually get more information from an event log using PowerShell? We've been using MyEventViewer for the event logs but are really lost at this point. Our teacher said that he was able to get the password by using PowerShell. Does anyone have any idea as to how we could go about getting the password for a user like that going through PowerShell? It's the Domain Admin accounts password that we're looking for and it's also the same password for a KeePass database file that we need to unlock and then perform a live response after. Even if anyone knew how you can input your password into an event log, that would also really help so we can backtrack to see about exporting it. Any information would be greatly appreciated, thanks!
Asked
Active
Viewed 612 times
0
-
`Get-WinEvent` will likely be helpful here, but this sounds like a straightforward threathunting exercise and no one on StackOverflow can do the exercise for you - you just need to engage your intuition and your systems knowledge here. If you expect the event to be using a custom source, try grouping all the events based on source for example and see which ones are suspiciously rare. – Mathias R. Jessen Mar 15 '21 at 21:03
-
Thanks I'll definitely try that. I'm not asking anyone to complete the exercise for me, just wanting to get a fresh pair of eyes on the problem to see if we overlooked something. Get-WinEvent has helped me in the past so I'll definitely resort to it this time around. Appreciate the response. – Pacman12312 Mar 15 '21 at 21:31
-
BTW It's unclear from your description whether the password was purposefully leaked into the log to emulate an _accident_ - if that's the case: Think about situations in which an admin could possibly come to leak their passwords into the log on accident - once you realize the 2 or 3 common activities during which this might happen, you can probably also figure out which events to look for :-) – Mathias R. Jessen Mar 15 '21 at 21:34
-
Well yeah, being it's an assignment he purposely leaked it into the event log. But we realized that the password was accidentally typed into the username field so under the Failed Login Attempt event we found the password after looking through the PowerShell with Get-WinEvent. Thanks for the help again! – Pacman12312 Mar 15 '21 at 21:41