# User Hunting While user hunting, it creates a spike in network while fuzzing and also creates **4624 - LogOn Event** & **4634 - LogOff Event** on each machines while enumerating ### Find-LocalAdminAccess Find all machines on the current/given domain, where the current user has local admin access (Performs multi threaded queries on list of computers from current domain *Get-NetComputer* using *Invoke-CheckLocalAdminAccess*) ``` Find-LocalAdminAccess ``` ### Find-WMILocalAdminAccess *Find-LocalAdminAccess* uses ports like RPC and SMB which can be blocked by firewall sometimes To overcome that, we can use WMI queries to enumerate local admin access ``` Find-WMILocalAdminAccess -ComputerFile ``` WMI query need local admin privilege to execute, so we can probe the WMI query into computers to check the execution to determine the local admin rights ### Enumerating Local Admin To find local admins on all machines of the domain (Needs admin privs on Non-DC machines) ``` Invoke-EnumerateLocalAdmin ``` Find all machines on the current/given domain, where the current user has local admin access (Performs multi threaded queries on list of computers from current domain *Get-NetComputer* using *Get-NetLocalGroup*) ### Invoke-UserHunter It looks for a session of Domain Admin on all the machines , where local admin access is available Find all sessions on the DOMAIN ADMINS (Default)/given group, where the current user has local admin access (Performs multi threaded queries on list of members using *Get-NetGroupMember* and checks sessions *Get-NetSession* and logged Get-NetLoggedon on users) ``` Invoke-UserHunter Invoke-UserHunter -GroupName "" ``` To check admin access on that session, ``` Invoke-UserHunter -CheckAccess ``` By performing stealth hunting, it only enumerate high value target machines (DC, File Servers, Distributed File Servers) on a domain (Chance of success is low) ``` Invoke-UserHunter -Stealth ```