Gets 4648 Explicit Logon Events from Windows Event Log Author: Lee Christensen (@tifkin_)

Get-ExplicitLogonEvents.ps1

function Get-ExplicitLogonEvents {
    <#
        .SYNOPSIS
    
        Gets 4648 Explicit Logon Events from Windows Event Log
    
        Author: Lee Christensen (@tifkin_)
        # https://github.com/threatexpress/red-team-scripts/blob/3121db5d53a25d66afa01afb3bf0487d919d1846/HostEnum.ps1#L1552
    #>
    
        [CmdletBinding()]
        Param(
            [float]
            $Days = 10
        )
    
        Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4648; StartTime=(Get-Date).AddDays(-$Days)} | ?{!$_.Properties[5].Value.EndsWith('$')} | %{
    
            $Properties = $_.Properties
            New-Object PSObject -Property @{
                TimeCreated        = $_.TimeCreated
                Message            = $_.Message
                #SubjectUserSid    = $Properties[0].Value.ToString()
                #SubjectUserName   = $Properties[1].Value
                #SubjectDomainName = $Properties[2].Value
                #SubjectLogonId    = $Properties[3].Value
                #LogonGuid         = $Properties[4].Value.ToString()
                TargetUserName    = $Properties[5].Value
                TargetDomainName  = $Properties[6].Value
                #TargetLogonGuid   = $Properties[7].Value
                TargetServerName  = $Properties[8].Value
                #TargetInfo        = $Properties[9].Value
                #ProcessId         = $Properties[10].Value
                ProcessName       = $Properties[11].Value
                IpAddress         = $Properties[12].Value
                #IpPort            = $Properties[13].Value
            }
        }
    }

Get-ExplicitLogonEvents -Days 6.6 | Where {$_.TargetUserName -EQ 'rubble_barney' -AND $_.ProcessName -EQ 'C:\Windows\System32\svchost.exe' } | sort TimeCreated | ft -a

@tifkin_ , thank you for this!
I commented out some fields to run this on standalone servers