🆕 Dump Event Log Creds(4688)

Parses Windows Event ID 4688 and Sysmon Logs

{% hint style="warning" %}
You need at least local admin privilege on the remote target
{% endhint %}

This module parses Windows logs for Event ID 4688, as well as sysmon logs for Event ID 1 to extract credentials from CMD and PowerShell commands. E.g. "net user username password /add":

nxc smb <ip> -u <username> -p <password> -M eventlog_creds