User Hunt

PS > Find-DomainUserLocation -UserIdentity snovvcrash

Sessions Enum

Derivative Local Admins

3MB

Pen Testing Active Directory Environments (Varonis).pdf

pdf

Logon Events

Search for IPs from where the user of interest logged on to current machine (event 4624):

PS > Get-EventLog Security -InstanceId 4624 | ? {$_.Message.Contains("snovvcrash")} | select -First 10 | fl * | Out-File C:\Windows\Temp\user.dat
Or
Cmd > wmic ntevent where "LogFile='Security' and EventCode=4624 and Message like '%%snovvcrash%%'" get /format:list | findstr /c:"Source Network Address" | sort /unique
$ atexec.py 'wmic ntevent where "LogFile='"'"'Security'"'"' and EventCode=4624 and Message like '"'"'%%snovvcrash%%'"'"'" get /format:list | findstr /c:"Source Network Address" | sort /unique'

Connected USB Devices

List USB devices history using reg.py:

$ reg.py -k -no-pass PC01.megacorp.local query -keyName 'HKLM\SYSTEM\CurrentControlSet\Enum\USB'

List USB devices history using PowerShell:

PS > gwmi Win32_USBControllerDevice | %{[wmi]($_.Dependent)} | sort Manufacturer, Description, DeviceID | ft -GroupBy Manufacturer Description, Service, DeviceID

Hunt for connected USB device with a specific VID and PID using wmiquery.py:

$ cat usb.wmi
SELECT DeviceID, Name FROM Win32_USBHub
$ for comp in `cat comps.txt`; do KRB5CCNAME=tickets/"`echo $comp | cut -d'.' -f1`".ccache proxychains4 -q wmiquery.py -k -no-pass $comp -file usb.wmi | tee -a usb.txt; sleep 2; done
$ tail -f usb.txt | grep 'VID_0000&PID_1111'

Last updated 2 months ago