User Hunting
While user hunting, it creates a spike in network while fuzzing and also creates 4624 - LogOn Event & 4634 - LogOff Event on each machines while enumerating
Find-LocalAdminAccess
Find all machines on the current/given domain, where the current user has local admin access (Performs multi threaded queries on list of computers from current domain Get-NetComputer using Invoke-CheckLocalAdminAccess)
Find-LocalAdminAccess
Find-WMILocalAdminAccess
Find-LocalAdminAccess uses ports like RPC and SMB which can be blocked by firewall sometimes
To overcome that, we can use WMI queries to enumerate local admin access
Find-WMILocalAdminAccess -ComputerFile <List of Computers>
WMI query need local admin privilege to execute, so we can probe the WMI query into computers to check the execution to determine the local admin rights
Enumerating Local Admin
To find local admins on all machines of the domain (Needs admin privs on Non-DC machines)
Invoke-EnumerateLocalAdmin
Find all machines on the current/given domain, where the current user has local admin access (Performs multi threaded queries on list of computers from current domain Get-NetComputer using Get-NetLocalGroup)
Invoke-UserHunter
It looks for a session of Domain Admin on all the machines , where local admin access is available
Find all sessions on the DOMAIN ADMINS (Default)/given group, where the current user has local admin access (Performs multi threaded queries on list of members using Get-NetGroupMember and checks sessions Get-NetSession and logged Get-NetLoggedon on users)
Invoke-UserHunter
Invoke-UserHunter -GroupName "<GROUP NAME>"
To check admin access on that session,
Invoke-UserHunter -CheckAccess
By performing stealth hunting, it only enumerate high value target machines (DC, File Servers, Distributed File Servers) on a domain (Chance of success is low)
Invoke-UserHunter -Stealth
Last updated