User Hunt

PS > Find-DomainUserLocation -UserIdentity snovvcrash

Sessions Enum

Derivative Local Admins

Logon Events

PS > Get-EventLog Security -InstanceId 4624 | ? {$_.Message.Contains("snovvcrash")} | select -First 10 | fl * | Out-File C:\Windows\Temp\user.dat
Or
Cmd > wmic ntevent where "LogFile='Security' and EventCode=4624 and Message like '%%snovvcrash%%'" get /format:list | findstr /c:"Source Network Address" | sort /unique
$ atexec.py 'wmic ntevent where "LogFile='"'"'Security'"'"' and EventCode=4624 and Message like '"'"'%%snovvcrash%%'"'"'" get /format:list | findstr /c:"Source Network Address" | sort /unique'

Connected USB Devices

List USB devices history:

$ reg.py -k -no-pass PC01.megacorp.local query -keyName 'HKLM\SYSTEM\CurrentControlSet\Enum\USB'

Hunt for connected USB device with a specific VID and PID:

$ cat query.wmi
select DeviceID, Name from Win32_USBHub
$ for comp in `cat comps.txt`; do KRB5CCNAME=tickets/"`echo $comp | cut -d'.' -f1`".ccache proxychains4 -q wmiquery.py -k -no-pass $comp -file query.wmi | tee -a usb.txt; sleep 2; done
$ tail -f usb.txt | grep 'VID_0000&PID_1111'

Last updated 1 month ago