PowerShell One-Liner of the Week
Get-EventLog Security -InstanceID 4688 -Message “*whoami*” | fl *
If you are tracking process creation and have command line auditing turned on, the above command will hit anytime whoami is typed on the box. Of course you can search for whatever you want inside the quotes. This can also run remotely to scale out your hunting with Invoke-Command.
If you have any requests for PowerShell hunting techniques please comment and let me know!