User Hunt

http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
https://www.slideshare.net/harmj0y/i-hunt-sys-admins-20

PS > Find-DomainUserLocation -UserIdentity snovvcrash

Sessions Enum

http://www.harmj0y.net/blog/powershell/powershell-and-win32-api-access/
http://www.harmj0y.net/blog/powershell/powerquinsta/
https://github.com/Leo4j/Invoke-SessionHunter/blob/main/Invoke-SessionHunter.ps1
https://gist.github.com/GeisericII/6849bc86620c7a764d88502df5187bd0

Derivative Local Admins

http://www.harmj0y.net/blog/redteaming/local-group-enumeration/
https://medium.com/@sixdub/derivative-local-admin-cdd09445aac8
https://wald0.com/?p=14
http://www.offensiveops.io/tools/bloodhound-working-with-results/

Logon Events

https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/blob/5175f64c111ffcc13250e3cf818f05ca46654af5/wmiutility.cs#L194
https://gist.github.com/awakecoding/5fda938a5fd2d29ebffb31eb023fe51c
https://github.com/lele8/SharpUserIP

Search for IPs from where the user of interest logged on to current machine (event 4624):

PS > Get-EventLog Security -InstanceId 4624 | ? {$_.Message.Contains("snovvcrash")} | select -First 10 | fl * | Out-File C:\Windows\Temp\user.dat

Cmd > wmic ntevent where "LogFile='Security' and EventCode=4624 and Message like '%%snovvcrash%%'" get /format:list | findstr /c:"Source Network Address" | sort /unique
atexec.py 'wmic ntevent where "LogFile='"'"'Security'"'"' and EventCode=4624 and Message like '"'"'%%snovvcrash%%'"'"'" get /format:list | findstr /c:"Source Network Address" | sort /unique'

Last updated 11 months ago