After 4 Hours for try , Finally it is work by one of these two commond line:
Get-WinEvent -Path “C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement*.evtx” | Where-Object { $_.Properties.Value -like ‘\*\PRINT’ } | format-list
OR
Get-WinEvent -Path “C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement*.evtx” | Where-Object { $_.Properties.Value -like ‘\*\PRINT’ } | format-table
I dont know why this did not work for me, in the end i just opened all the logs that seemed like that could be it
ID 5142,
I use command
Get-WinEvent -Path “C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement*.evtx” |
Where-Object { $_.Properties.Value -like ‘\PRINT’ } |
Format-Table TimeCreated, Id, ProviderName, Message -AutoSize
You will see network share object was added…
that answer 1x:x0:x0
You can run this command and you will get the answer:
Get-ChildItem -Path 'C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement' | ForEach-Object {
>> $logFile = $_.FullName
>> Get-WinEvent -Path $logFile | Where-Object { $_.Properties.Value -like '\\*\PRINT' } | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize}
when forcing chatgpt to use Get-winevent i got this and it worked :
Get-WinEvent -Path (Get-Item “C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement*.evtx”).FullName | Where-Object { $.Message -like “\\PRINT*” } | Format-Table TimeCreated, Id, Message
and using Get-childitem this worked:
Get-ChildItem “C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement” -Filter *.evtx | ForEach-Object { Get-WinEvent -Path $.FullName | Where-Object { $_.Message -like “\\PRINT*” } } | Format-Table TimeCreated, Id, Message
Added where? when I run the previously mentioned command I get nothing on the powershell window… 
PS C:\Tools\GhostPack Compiled Binaries>$SearchString="\\*\PRINT"
PS C:\Tools\GhostPack Compiled Binaries> Get-WinEvent -Path 'C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement\*.evtx' | Where-Object{$_.Message -like "*$SearchString*"}
Hi Alharbi1980,
Hate to say it but in my case none of the tips/ideas/etc posted on this subject worked for me, none of the command listed here worked.
They run, no errors, just an empty prompt, no output, as if it ran successfully but there was no data to output!!!
I even opened every .evtx file inside C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement and did a search for \\PRINT’ and no luck, no results!!
Anyway, thank you every one for the posts!!!
Cheers,
Use this query to solve the task:
Get-WinEvent -Path ‘C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement*.evtx’ | Where-Object { $_.Properties.Value -like ‘\*\PRINT’ } | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize
A farily easy task make sure u read every thing
command : Get-WinEvent -Path ‘C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement*.evtx’|Where-Object{$_.Message -like “\Print”}|Select-Object TimeCreated,Message|Format-Table -AutoSize
Asterisks were lost after posting, correct syntax:
Get-WinEvent -Path 'C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement\*.evtx' | Where-Object{$_.Message -like "*\Print*"}|Select-Object TimeCreated,Message|Format-Table -AutoSize
Just my own little tip. Using Powershell ISE to generate my commands helped immensely because I could build onto the command by piping after I understood it worked and what it was doing. Also, understanding that the new network share Event ID is 5142. So you structure the command to target all the evtx files in the directory by using the “path” switch and a wildcard. Running this will output every event from all of the logs which is too much information. If you follow the module and pipe the command to Where-Object you can target the “Id” field and isolate on Event ID 5142.
“Get-WinEvent -Path ‘C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement*.evtx’| Where-Object {$_.Id -eq “5142”}”
Note: The command above does not display a backslash between Lateral Movement and the wildcard.
