User Hunting

While user hunting, it creates a spike in network while fuzzing and also creates 4624 - LogOn Event & 4634 - LogOff Event on each machines while enumerating

Find-LocalAdminAccess

Find all machines on the current/given domain, where the current user has local admin access (Performs multi threaded queries on list of computers from current domain Get-NetComputer using Invoke-CheckLocalAdminAccess)

Find-LocalAdminAccess

Find-WMILocalAdminAccess

Find-LocalAdminAccess uses ports like RPC and SMB which can be blocked by firewall sometimes

To overcome that, we can use WMI queries to enumerate local admin access

Find-WMILocalAdminAccess -ComputerFile <List of Computers>

WMI query need local admin privilege to execute, so we can probe the WMI query into computers to check the execution to determine the local admin rights

Enumerating Local Admin

To find local admins on all machines of the domain (Needs admin privs on Non-DC machines)

Invoke-EnumerateLocalAdmin

Find all machines on the current/given domain, where the current user has local admin access (Performs multi threaded queries on list of computers from current domain Get-NetComputer using Get-NetLocalGroup)

Invoke-UserHunter

It looks for a session of Domain Admin on all the machines , where local admin access is available

Find all sessions on the DOMAIN ADMINS (Default)/given group, where the current user has local admin access (Performs multi threaded queries on list of members using Get-NetGroupMember and checks sessions Get-NetSession and logged Get-NetLoggedon on users)

Invoke-UserHunter

Invoke-UserHunter -GroupName "<GROUP NAME>"

To check admin access on that session,

Invoke-UserHunter -CheckAccess

By performing stealth hunting, it only enumerate high value target machines (DC, File Servers, Distributed File Servers) on a domain (Chance of success is low)

Invoke-UserHunter -Stealth
PreviousEnumerating Domain Trusts & Forest TrustsNextLATERAL MOVEMENT

Last updated