PS > Find-DomainUserLocation -UserIdentity snovvcrash
PS > Get-EventLog Security -InstanceId 4624 | ? {$_.Message.Contains("snovvcrash")} | select -First 10 | fl * | Out-File C:\Windows\Temp\user.dat
Or
Cmd > wmic ntevent where "LogFile='Security' and EventCode=4624 and Message like '%%snovvcrash%%'" get /format:list | findstr /c:"Source Network Address" | sort /unique
$ atexec.py 'wmic ntevent where "LogFile='"'"'Security'"'"' and EventCode=4624 and Message like '"'"'%%snovvcrash%%'"'"'" get /format:list | findstr /c:"Source Network Address" | sort /unique'
$ reg.py -k -no-pass PC01.megacorp.local query -keyName 'HKLM\SYSTEM\CurrentControlSet\Enum\USB'
PS > gwmi Win32_USBControllerDevice | %{[wmi]($_.Dependent)} | sort Manufacturer, Description, DeviceID | ft -GroupBy Manufacturer Description, Service, DeviceID
$ cat usb.wmi
SELECT DeviceID, Name FROM Win32_USBHub
$ for comp in `cat comps.txt`; do KRB5CCNAME=tickets/"`echo $comp | cut -d'.' -f1`".ccache proxychains4 -q wmiquery.py -k -no-pass $comp -file usb.wmi | tee -a usb.txt; sleep 2; done
$ tail -f usb.txt | grep 'VID_0000&PID_1111'
