🔧 NetExec Wiki / Dump Event Log Creds(4688)

🆕 Dump Event Log Creds(4688)

Parses Windows Event ID 4688 and Sysmon Logs

Warning

You need at least local admin privilege on the remote target

This module parses Windows logs for Event ID 4688, as well as sysmon logs for Event ID 1 to extract credentials from CMD and PowerShell commands. E.g. "net user username password /add":

nxc smb <ip> -u <USERNAME> -p <PASSWORD> -M eventlog_creds

Enumerate Event Logs