User Hunt
PS > Find-DomainUserLocation -UserIdentity snovvcrash
Sessions Enum
Derivative Local Admins
Logon Events
Search for IPs from where the user of interest logged on to current machine (event 4624):
PS > Get-EventLog Security -InstanceId 4624 | ? {$_.Message.Contains("snovvcrash")} | select -First 10 | fl * | Out-File C:\Windows\Temp\user.dat
Or
Cmd > wmic ntevent where "LogFile='Security' and EventCode=4624 and Message like '%%snovvcrash%%'" get /format:list | findstr /c:"Source Network Address" | sort /unique
$ atexec.py 'wmic ntevent where "LogFile='"'"'Security'"'"' and EventCode=4624 and Message like '"'"'%%snovvcrash%%'"'"'" get /format:list | findstr /c:"Source Network Address" | sort /unique'
Connected USB Devices
List USB devices history using reg.py:
$ reg.py -k -no-pass PC01.megacorp.local query -keyName 'HKLM\SYSTEM\CurrentControlSet\Enum\USB'
List USB devices history using PowerShell:
PS > gwmi Win32_USBControllerDevice | %{[wmi]($_.Dependent)} | sort Manufacturer, Description, DeviceID | ft -GroupBy Manufacturer Description, Service, DeviceID
Hunt for connected USB device with a specific VID
and PID
using wmiquery.py:
$ cat usb.wmi
SELECT DeviceID, Name FROM Win32_USBHub
$ for comp in `cat comps.txt`; do KRB5CCNAME=tickets/"`echo $comp | cut -d'.' -f1`".ccache proxychains4 -q wmiquery.py -k -no-pass $comp -file usb.wmi | tee -a usb.txt; sleep 2; done
$ tail -f usb.txt | grep 'VID_0000&PID_1111'
Last updated