PowerShell - Grabbing user from security.etvx files

702 Views Asked by At

I'm not use to using PowerShell at all but so far I have the following code to grab a 4625 event

Get-WinEvent -MaxEvents 1 -FilterHashtable @{Path="C:\Users\ScriptTesting\Desktop\Security.evtx";ProviderName="Microsoft-Windows-Security-Auditing";Id=4625} | Format-List -Property *

which gives me the output of

Message              : An account failed to log on.
                        Security ID:        x
                        Account Name:       x
                        Account Domain:     x
                        Logon ID:       0x3E7
                       Logon Type:          2
                       Account For Which Logon Failed:
                        Security ID:        x
                        Account Name:       ScriptTesting
                        Account Domain:     x
                       Failure Information:
                        Failure Reason:     Unknown user name or bad password.
                        Status:         0xC000006D
                        Sub Status:     0xC000006A
                       Process Information:
                        Caller Process ID:  0x21c
                        Caller Process Name:    C:\Windows\System32\svchost.exe
                       Network Information:
                        Workstation Name:   x
                        Source Network Address:
                        Source Port:        0
                       Detailed Authentication Information:
                        Logon Process:      User32 
                        Authentication Package: Negotiate
                        Transited Services: -
                        Package Name (NTLM only):   -
                        Key Length:     0
                       This event is generated when a logon request fails. It is generated on the computer where access was 
                       The Subject fields indicate the account on the local system which requested the logon. This is most 
                       commonly a service such as the Server service, or a local process such as Winlogon.exe or 
                       The Logon Type field indicates the kind of logon that was requested. The most common types are 2 
                       (interactive) and 3 (network).
                       The Process Information fields indicate which account and process on the system requested the logon.
                       The Network Information fields indicate where a remote logon request originated. Workstation name is 
                       not always available and may be left blank in some cases.
                       The authentication information fields provide detailed information about this specific logon request.
                        - Transited services indicate which intermediate services have participated in this logon request.
                        - Package name indicates which sub-protocol was used among the NTLM protocols.
                        - Key length indicates the length of the generated session key. This will be 0 if no session key 
                       was requested.
Id                   : 4625
Version              : 0
Qualifiers           : 
Level                : 0
Task                 : 12544
Opcode               : 0
Keywords             : -9218868437227405312
RecordId             : 24320
ProviderName         : Microsoft-Windows-Security-Auditing
ProviderId           : x
LogName              : Security
ProcessId            : 544
ThreadId             : 6744
MachineName          : x
UserId               : 
TimeCreated          : 3/4/2022 2:24:13 PM
ActivityId           : x
RelatedActivityId    : 
ContainerLog         : c:\users\scripttesting\desktop\security.evtx
MatchedQueryIds      : {}
Bookmark             : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName     : Information
OpcodeDisplayName    : Info
TaskDisplayName      : Logon
KeywordsDisplayNames : {Audit Failure}
Properties           : {System.Diagnostics.Eventing.Reader.EventProperty, System.Diagnostics.Eventing.Reader.EventProperty, 

My issue is I need the "ScriptTesting" from account name contained within the message part. I got

Get-EventLog -LogName Security -Newest 10 | Select @{Name="UserName";Expression={ $_.ReplacementStrings[1] }}

to grab the account name, but I cant seem to use a file for Get-EventLog, so what's the easiest way to grab that account name while stating a filepath to the evtx file? (I need to be able to pull it from the evtx file and not live from a machine due to a separate process.)

Thanks in advance!


There are 1 best solutions below


I believe this should work, though, there is probably a better way to do it. I added a TimeCreated property so at least you have some reference.

$events = Get-WinEvent "C:\Users\ScriptTesting\Desktop\Security.evtx"
foreach($event in $events) {
    if($event.Id -ne 4625) { continue }
        TimeCreated = $event.TimeCreated
        TargetUser  = $event.Properties[5].Value