🆕Dump Event Log Creds(4688)

Parses Windows Event ID 4688 and Sysmon Logs

You need at least local admin privilege on the remote target

This module parses Windows logs for Event ID 4688, as well as sysmon logs for Event ID 1 to extract credentials from CMD and PowerShell commands. E.g. "net user username password /add":

nxc smb <ip> -u username -p password -M eventlog_creds

PreviousDump Remote Desktop Credential Manager NextDefeating LAPS

Last updated 14 days ago

Was this helpful?