.. / Get-WinEvent

Gets events from event logs and event tracing log files on local and remote computers

Functions:	Logs
Type:	Cmdlets
Toolsets:	Builtin

Logs

List all Kerberos authentication requests

Get-WinEvent -ComputerName DC1.ad.bitsadmin.com -FilterHashtable @{logname="Security";id=4768} | % { [PSCustomObject]@{TimeCreated=$_.TimeCreated; TargetUserName=$_.Properties[0].Value; TargetDomainName=$_.Properties[1].Value; TargetSid=$_.Properties[2].Value; ServiceName=$_.Properties[3].Value; ServiceSid=$_.Properties[4].Value; TicketOptions=$_.Properties[5].Value; Status=$_.Properties[6].Value; TicketEncryptionType=$_.Properties[7].Value; PreAuthType=$_.Properties[8].Value; IpAddress=$_.Properties[9].Value; IpPort=$_.Properties[10].Value; CertIssuerName=$_.Properties[11].Value; CertSerialNumber=$_.Properties[12].Value; CertThumbprint=$_.Properties[13].Value} }

Usecase
Identify which IPs logons of privileged users are originating from

Comments
PowerShell Module: Microsoft.PowerShell.Diagnostics

List logons on a system

Get-WinEvent -ComputerName W10.ad.bitsadmin.com -FilterHashtable @{logname="Security";id=4624} | % { [PSCustomObject]@{TimeCreated=$_.TimeCreated; SubjectUserSid=$_.Properties[0].Value; SubjectUserName=$_.Properties[1].Value; SubjectDomainName=$_.Properties[2].Value; SubjectLogonId=$_.Properties[3].Value; TargetUserSid=$_.Properties[4].Value; TargetUserName=$_.Properties[5].Value; TargetDomainName=$_.Properties[6].Value; TargetLogonId=$_.Properties[7].Value; LogonType=$_.Properties[8].Value; LogonProcessName=$_.Properties[9].Value; AuthenticationPackageName=$_.Properties[10].Value; WorkstationName=$_.Properties[11].Value; LogonGuid=$_.Properties[12].Value; TransmittedServices=$_.Properties[13].Value; LmPackageName=$_.Properties[14].Value; KeyLength=$_.Properties[15].Value; ProcessId=$_.Properties[16].Value; ProcessName=$_.Properties[17].Value; IpAddress=$_.Properties[18].Value; IpPort=$_.Properties[19].Value; ImpersonationLevel=$_.Properties[20].Value; RestrictedAdminMode=$_.Properties[21].Value; TargetOutboundUserName=$_.Properties[22].Value; TargetOutboundDomainName=$_.Properties[23].Value; VirtualAccount=$_.Properties[24].Value; TargetLinkedLogonId=$_.Properties[25].Value; ElevatedToken=$_.Properties[26].Value;} }

Usecase
Understand which accounts are used on a system

Comments
PowerShell Module: Microsoft.PowerShell.Diagnostics

Updated: 2023-07-01

Contributor: Arris Huijgen (bitsadmin)