How does SharpSniper find the IP address used by a domain user?

SharpSniper queries the domain controller's security logs for Event ID 4624 and filters by the target username using an XPath query like 'Event[System[(EventID=4624)] and EventData[Data[@Name='TargetUserName']='username']]'. It then extracts the IP address from the log using a regular expression for IPv4 addresses. This process is detailed in the Analysis of SharpSniper Exploitation.