Discover if an account is available for Exchange SSO
Get logon history data from the event log, default is data from 14 days back
Requires administrator privileges
Enumerate logon sessions by reading lsass process bytes
Requires administrator privileges
Enumerate logon sessions with LsaGetLogonSessionData
Requires administrator privileges
Useful for hunting jump-hosts, hosts used for cloud/infrastructure management and other non-domain credentials. Because pwning just the on-prem domain isn't enough
Shoutout to harmj0y and the Seatbelt project