mirror of
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
synced 2025-12-15 12:59:02 +00:00
fb17429f67
- added new event checks - Explicit Logon Events, Logon Events, PowerShell Events, Process Creation Events - added PrintSecurityPackagesCredentials check - added Windows Defender enumeration
39 lines
1.4 KiB
C#
39 lines
1.4 KiB
C#
using System.Collections.Generic;
|
|
using winPEAS.Helpers;
|
|
using winPEAS.Info.EventsInfo.PowerShell;
|
|
|
|
namespace winPEAS.Info.EventsInfo.ProcessCreation
|
|
{
|
|
internal class ProcessCreation
|
|
{
|
|
public static IEnumerable<ProcessCreationEventInfo> GetProcessCreationEventInfos()
|
|
{
|
|
// Get our "sensitive" cmdline regexes from a common helper function.
|
|
var processCmdLineRegex = Common.GetInterestingProcessArgsRegex();
|
|
|
|
var query = $"*[System/EventID=4688]";
|
|
var logReader = MyUtils.GetEventLogReader("Security", query);
|
|
|
|
for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
|
|
{
|
|
var user = eventDetail.Properties[1].Value.ToString().Trim();
|
|
var commandLine = eventDetail.Properties[8].Value.ToString().Trim();
|
|
|
|
foreach (var reg in processCmdLineRegex)
|
|
{
|
|
var m = reg.Match(commandLine);
|
|
if (m.Success)
|
|
{
|
|
yield return new ProcessCreationEventInfo(
|
|
eventDetail.TimeCreated?.ToUniversalTime(),
|
|
eventDetail.Id,
|
|
user,
|
|
commandLine
|
|
);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|