private static void PrintLogonEvents() { try { var lastDays = 10; Beaprint.MainPrint($"Printing Account Logon Events (4624) for the last {lastDays} days.\n"); if (!MyUtils.IsHighIntegrity()) { Beaprint.NoColorPrint(" You must be an administrator to run this check"); return; } var logonInfos = Logon.GetLogonInfos(lastDays); foreach (var info in logonInfos.LogonEventInfos) { Beaprint.BadPrint($" Subject User Name : {info.SubjectUserName}\n" + $" Subject Domain Name : {info.SubjectDomainName}\n" + $" Created (Utc) : {info.CreatedAtUtc}\n" + $" IP Address : {info.IpAddress}\n" + $" Authentication Package : {info.AuthenticationPackage}\n" + $" Lm Package : {info.LmPackage}\n" + $" Logon Type : {info.LogonType}\n" + $" Target User Name : {info.TargetUserName}\n" + $" Target Domain Name : {info.TargetDomainName}\n" + $" Target Outbound User Name : {info.TargetOutboundUserName}\n" + $" Target Outbound Domain Name : {info.TargetOutboundDomainName}\n"); Beaprint.PrintLineSeparator(); } if (logonInfos.NTLMv1LoggedUsersSet.Count > 0 || logonInfos.NTLMv2LoggedUsersSet.Count > 0) { Beaprint.BadPrint(" NTLM relay might be possible - other users authenticate to this machine using NTLM!"); } if (logonInfos.NTLMv1LoggedUsersSet.Count > 0) { Beaprint.BadPrint(" Accounts authenticate to this machine using NTLM v1!"); Beaprint.BadPrint(" You can obtain these accounts' **NTLM** hashes by sniffing NTLM challenge/responses and then crack them!"); Beaprint.BadPrint(" NTLM v1 authentication is broken!\n"); PrintUsers(logonInfos.NTLMv1LoggedUsersSet); } if (logonInfos.NTLMv2LoggedUsersSet.Count > 0) { Beaprint.BadPrint("\n Accounts authenticate to this machine using NTLM v2!"); Beaprint.BadPrint(" You can obtain NetNTLMv2 for these accounts by sniffing NTLM challenge/responses."); Beaprint.BadPrint(" You can then try and crack their passwords.\n"); PrintUsers(logonInfos.NTLMv2LoggedUsersSet); } if (logonInfos.KerberosLoggedUsersSet.Count > 0) { Beaprint.BadPrint("\n The following users have authenticated to this machine using Kerberos.\n"); PrintUsers(logonInfos.KerberosLoggedUsersSet); } } catch (Exception ex) { Beaprint.PrintException(ex.Message); } }