Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

invoke-eventhunter queries the Windows Security event log on each domain computer via WMI Win32_NTLogEvent to search for logon events and Kerberos TGT requests involving target users. By examining historical event log entries rather than live sessions, it can reveal where a user was recently active even if they are no longer logged in — making it useful for building a timeline of user movement within a domain. The --search-days parameter controls how far back in the logs to look. Like other hunting commands, it supports multi-threading and can target specific hosts or draw the computer list from LDAP.
Event log queries use WMI Win32_NTLogEvent and require local administrator rights on the target host. Hosts that deny access are automatically skipped. Ensure the Security event log is enabled and appropriately sized on target machines, as small log buffers may not retain events older than a day or two.

Flags

Domain Controller Connection

-t, --dc-ip
string
required
IP address of the domain controller used to enumerate target computers and users via LDAP.
-w, --workgroup
string
Name of the domain to authenticate with.
-u, --user
string
Username for authentication.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Reads credentials from the KRB5CCNAME ccache file.
--tls
boolean
Force a TLS connection to the domain controller.

Target Computer Selection

--computername
string[]
One or more specific hostnames or IPs to search event logs on (space-separated). Skips LDAP computer enumeration when provided.
--computerfile
string
Path to a file containing hostnames or IPs to query, one per line.
--computer-filter
string
Custom LDAP filter applied when querying computers from the domain controller.
--computer-adspath
string
ADS path to use when searching for computers in LDAP.
-d, --domain
string
Domain to query for target machines.

Target User Selection

--username
string
Search event logs for activity by this specific username.
--groupname
string
Name of a domain group whose members to use as target users.
--user-filter
string
Custom LDAP filter applied when querying target users from the domain controller.
--user-adspath
string
ADS path used when searching for target users in LDAP.
--userfile
string
Path to a file containing usernames to search for, one per line.
--targetserver
string
Use the local administrators of this server as the target user list.

Hunt Behaviour

--search-days
integer
Number of days back to search the event logs on each host. Default: 3.
--threads
integer
Number of parallel worker threads to use when querying target hosts. Default: 1.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.

Examples

# Search the last 3 days of event logs for a specific user (default window)
pywerview invoke-eventhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob

# Extend the search window to 7 days
pywerview invoke-eventhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob --search-days 7

# Multi-threaded search across all domain hosts, 7-day window
pywerview invoke-eventhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob --threads 5 --search-days 7

# Search for all members of the Domain Admins group
pywerview invoke-eventhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'Domain Admins' --search-days 14

# Restrict search to specific hosts from a file
pywerview invoke-eventhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob --computerfile /tmp/servers.txt

# JSON output
pywerview invoke-eventhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob --json

Build docs developers (and LLMs) love

Get started for freeTalk to us