User Hunt

PS > Find-DomainUserLocation -UserIdentity snovvcrash

Sessions Enum

Derivative Local Admins

3MB

Pen Testing Active Directory Environments (Varonis).pdf

PDF

Open

Logon Events

Search for IPs from where the user of interest logged on to current machine (event 4624):

PS > Get-EventLog Security -InstanceId 4624 | ? {$_.Message.Contains("snovvcrash")} | select -First 10 | fl * | Out-File C:\Windows\Temp\user.dat
Or
Cmd > wmic ntevent where "LogFile='Security' and EventCode=4624 and Message like '%%snovvcrash%%'" get /format:list | findstr /c:"Source Network Address" | sort /unique
$ atexec.py 'wmic ntevent where "LogFile='"'"'Security'"'"' and EventCode=4624 and Message like '"'"'%%snovvcrash%%'"'"'" get /format:list | findstr /c:"Source Network Address" | sort /unique'

chainsaw

https://github.com/WithSecureLabs/chainsaw

Cmd > chainsaw.exe search -i j.doe C:\Windows\System32\winevt\Logs\Security.evtx --json -o events.json

Connected USB Devices

List USB devices history using reg.py:

$ reg.py -k -no-pass PC01.megacorp.local query -keyName 'HKLM\SYSTEM\CurrentControlSet\Enum\USB'

List USB devices history using PowerShell:

PS > gwmi Win32_USBControllerDevice | %{[wmi]($_.Dependent)} | sort Manufacturer, Description, DeviceID | ft -GroupBy Manufacturer Description, Service, DeviceID

Hunt for connected USB device with a specific VID and PID using wmiquery.py:

$ cat usb.wmi
SELECT DeviceID, Name FROM Win32_USBHub
$ for comp in `cat comps.txt`; do KRB5CCNAME=tickets/"`echo $comp | cut -d'.' -f1`".ccache proxychains4 -q wmiquery.py -k -no-pass $comp -file usb.wmi | tee -a usb.txt; sleep 2; done
$ tail -f usb.txt | grep 'VID_0000&PID_1111'

Last updated 29 days ago

hashtagSessions Enum

hashtagDerivative Local Admins

hashtagLogon Events

hashtagchainsaw

hashtagConnected USB Devices

Sessions Enum

Derivative Local Admins

Logon Events

chainsaw

Connected USB Devices