New
#1
Please save the 4625 hacking event, which is causing a headache, as a
I am experiencing continuous hacking attempts on my computer guest account by an unknown Windows hacker or virus. They are attempting to hack using Type 3 network, but I don't know what IP they have. Their traces are not being recorded in Event Viewer, so I tried creating and registering the following command to address the issue:
When the 4625 event occurs as an audit failure, please save it as a txt file on the D: drive.
I finally found out the command by asking ChatGPT and succeeded for the first time, so I'm sharing this tip with joy.
Code:set CURRENT_USER=%USERNAME% schtasks /create /sc ONEVENT /tn "Event viewer action" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"
However, unfortunately, I failed to display the event along with the time it occurred. I tried the following, but it didn't work:
If you have any better tips, please let me know. Thank you.
Code:schtasks /create /sc ONEVENT /tn "Event viewer action" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && echo %date% %time% >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"to deleteCode:echo %date% %time% >> d:\txt2.txt
..Code:schtasks /delete /tn "Event viewer action" /f
Olle~! I've found a way. ! I am Date time added.
.Code:set CURRENT_USER=%USERNAME% schtasks /create /sc ONEVENT /tn "Event viewer action" /tr "%windir%\System32\cmd.exe /c netstat -anob >> d:\txt2.txt && date /t >> d:\txt2.txt && time /t >> d:\txt2.txt && exit" /rl HIGHEST /ru "%CURRENT_USER%" /f /ec Security /mo "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]"
.
I've found the date ,time seconds unit to be perfect.
You have to register the two separately. It's a messy way, but it works
Code:for /f "delims=" %a in ('dir /a-d /b /o /s "%SystemRoot%\System32\WindowsPowerShell\powershell.exe"') do (schtasks /Create /SC ONEVENT /TN "Event viewer action2" /TR ""%a" -Command Add-Content -Path 'D:\txt2.txt' -Value (Get-Date)" /EC Security /MO "*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and EventID=4625]]" /f )
Last edited by krdondon; 12 Jun 2023 at 18:21.