Links

User Hunt

PS > Find-DomainUserLocation -UserIdentity snovvcrash

Sessions Enum

Derivative Local Admins

Pen Testing Active Directory Environments (Varonis).pdf
3MB
PDF

Logon Events

Search for IPs from where the user of interest logged on to current machine (event 4624):
PS > Get-EventLog Security -InstanceId 4624 | ? {$_.Message.Contains("snovvcrash")} | select -First 10 | fl * | Out-File C:\Windows\Temp\user.dat
Cmd > wmic ntevent where "LogFile='Security' and EventCode=4624 and Message like '%%snovvcrash%%'" get /format:list | findstr /c:"Source Network Address" | sort /unique
atexec.py 'wmic ntevent where "LogFile='"'"'Security'"'"' and EventCode=4624 and Message like '"'"'%%snovvcrash%%'"'"'" get /format:list | findstr /c:"Source Network Address" | sort /unique'
Last modified 2mo ago