User Hunting
While user hunting, it creates a spike in network while fuzzing and also creates 4624 - LogOn Event & 4634 - LogOff Event on each machines while enumerating
Find-LocalAdminAccess
Find all machines on the current/given domain, where the current user has local admin access (Performs multi threaded queries on list of computers from current domain Get-NetComputer using Invoke-CheckLocalAdminAccess)
Find-WMILocalAdminAccess
Find-LocalAdminAccess uses ports like RPC and SMB which can be blocked by firewall sometimes
To overcome that, we can use WMI queries to enumerate local admin access
WMI query need local admin privilege to execute, so we can probe the WMI query into computers to check the execution to determine the local admin rights
Enumerating Local Admin
To find local admins on all machines of the domain (Needs admin privs on Non-DC machines)
Find all machines on the current/given domain, where the current user has local admin access (Performs multi threaded queries on list of computers from current domain Get-NetComputer using Get-NetLocalGroup)
Invoke-UserHunter
It looks for a session of Domain Admin on all the machines , where local admin access is available
Find all sessions on the DOMAIN ADMINS (Default)/given group, where the current user has local admin access (Performs multi threaded queries on list of members using Get-NetGroupMember and checks sessions Get-NetSession and logged Get-NetLoggedon on users)
To check admin access on that session,
By performing stealth hunting, it only enumerate high value target machines (DC, File Servers, Distributed File Servers) on a domain (Chance of success is low)
Last updated