Reading protected eventlogs

I’ve been working with many certificates (their private key) used to decrypt back the protected eventlogs (encrypted initially with their public key).

The good news is, you can add as many private keys as you want, they’ll be all be used along to decrypt protected messages. Microsoft did a pretty good job on the Unprotect-CmsMessage cmdlet.

Lee Holmes originally presented in the PowerShell ♥ the Blue Team post how to post-process the content of protected event log messages using the following command:

Get-WinEvent Microsoft-Windows-PowerShell/Operational |
Where-Object Id -eq 4104 | Unprotect-CmsMessage 

Get-WinEvent is a very powerful cmdlet but it doesn’t know of protected messages natively.
No problem, here’s the way to extend its ability to recognize and decrypt protected messages 😀

First, I import the private keys into my Personal store like this

if (Test-Path -Path "$($HOME)\privatekey_*.pfx" -PathType Leaf) {
    Get-ChildItem -Path "$($HOME)\privatekey_*.pfx" | ForEach-Object {
        Import-PfxCertificate -FilePath "$($_.FullName)" -CertStoreLocation Cert:\currentuser\My -Password (ConvertTo-SecureString -AsPlainText '12345678' -Force)

The 2nd step consists in adding the isProtected and UnprotectedMessage properties on the fly and pass it to Out-GridView cmdlet at the end:

Get-WinEvent -FilterHashtable @{
LogName = 'Microsoft-Windows-PowerShell/Operational' ; Id = 4104
} | ForEach-Object {
if (([xml]$_.toXML()).Event.EventData.Data.InnerXml -match '^-----BEGIN CMS-----') {
$_ |
Add-Member -MemberType NoteProperty -Name isProtected -Value $true -PassThru |
Add-Member -MemberType ScriptProperty -Name UnprotectedMessage -Value {
try {
$this.Message | Unprotect-CmsMessage -ErrorAction Stop
} catch {
} -PassThru
} else {
$_ |
Add-Member -MemberType NoteProperty -Name isProtected -Value $false -PassThru |
Add-Member -MemberType ScriptProperty -Name UnprotectedMessage -Value {
} -PassThru
} |
Select Message,TimeCreated,isProtected,UnprotectedMessage |

Everything looks normal…

Until,… Notice the second event, it’s encrypted, but I don’t have the private key loaded in my store to decrypt it. Its UnprotectedMessage property is empty.
That doesn’t sound good 😉

3 thoughts on “Reading protected eventlogs

  1. Pingback: Dew Drop - August 5, 2016 (#2303) - Morning Dew

  2. Pingback: Encrypt event logs and files with PowerShell and group policies – 4sysops

  3. Pingback: Шифрование журналов событий и файлов с помощью PowerShell и групповых политик - Pagb

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.