Regarding powershell and Event4688 where it's now possible to log text entered into a windows command line.
Is there a way to use the powershell Get-WinEvent -FilterHashTable to show me what was entered in 'Process Command Line" of the event logs? This would be the actual text someone entered into the command line.
You can access the properties in an eventmessage using Properties, but you need to use a sample event so you can compare the message and the Properties-array to find out which index is the right field. I think it is the 9th (index 8), but you should verify.
List properties (values in message):
(Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4688
} -MaxEvents 1).Properties
Value
-----
S-1-5-18
-
-
999
920
C:\Windows\System32\lsass.exe
%%1936
784
#I believe this is CommandLine
S-1-0-0
-
-
0
C:\Windows\System32\wininit.exe
S-1-16-16384
Using Select-Object, you can create your own object to extract ex. the TimeCreated and the CommandLine (using custom/calculated properties):
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4688
} | Select-Object TimeCreated,@{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={ $_.Properties[8].Value }}
#I didn't have any values in my events
TimeCreated NewProcessName CommandLine
----------- -------------- -----------
09.04.2016 00:56:04 C:\Windows\System32\lsass.exe
09.04.2016 00:56:04 C:\Windows\System32\services.exe
09.04.2016 00:56:04 C:\Windows\System32\winlogon.exe
09.04.2016 00:56:04 C:\Windows\System32\wininit.exe
09.04.2016 00:56:04 C:\Windows\System32\csrss.exe
You could also use XML to access the properties, but this would be more useful if you were listing different eventids (were the order in the properties-array would be different). Ex:
Get-WinEvent -FilterHashtable @{
LogName = 'Security'
ID = 4688
} | Select-Object TimeCreated, @{name='CommandLine';expression={ (([xml]$_.ToXml()).Event.EventData.Data | Where-Object { $_.Name -eq 'CommandLine' })."#text" }}