EventLog Searcher

This post and subsequent code snippet will help you quickly find where users have logged on by searching through the system event log for event ID 4624 across multiple hosts in a threaded fashion for both speed and flexibility. User hunting is often the most time consuming part of red teaming and hopefully this will speed up that process for you and written in C# for compatibility with many C2 frameworks.

This is not a new technique but one that is often used as an alternative for getting user login data from Bloodhound/Sharphound. It must be noted that you have to have domain administrator level rights to perform this action against domain controllers.

The code snipped allows you to pass an array of hosts but also a regex of usernames to the query so its not limited to searching for one user. It also has a limit so it can stop early if you find what you want.

EventLogSearcher.exe bloredc1,bloredc2,bloredc3 “ben|deb|lisa|corin” 2

There are other ways of achieving the same results, especially in other languages but this seems to have a nice balance of both speed and flexibility for getting the results you need.

Published by benpturner

Red Teamer (CCSAS|CCSAM) | Creator of PoshC2 | Powershell / C# Enthusiast | Passionate about Security!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: