Get-NetUser
Get-NetUser –Username student1
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *
net user /domain
net user student82 /domain
Get List of all properties for users in the current domain
pwdlastset, badpwdcounts property helps in understanding if the account id honeypot or decoy account
users have bad passwords and pwdlastset is very old for decoy accounts
These could be actual computes or VMs
Ping ICMP Request is used to detect if host is online . If ICMP packets are didabled in firewall it could give false positives that machine is offline
Get-NetGroup
Get-NetGroup –Domain <targetdomain>
Get-NetGroup –FullData
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
net group /domain
net group "RDPUsers" /domain
Get all groups containing the word "admin" in group name
List all the local groups on a machine (needs administrator privs on nondc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -ListGroups
show membership of administrator groups
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local
Get members of all the local groups on a machine (needs administrator privs on non-dc machines)
Find all machines on the current domain where the current user has
local admin access
This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine.
Find-LocalAdminAccess -Verbose
This can also be done with the help of remote administration tools like WMI and PowerShell remoting. Pretty useful in cases ports (RPC and SMB) used by Find-LocalAdminAccess are blocked.
Find local admins on all machines of the domain (needs administrator
privs on non-dc machines).
This function queries the DC of the current or provided domain for a list of computers (Get-NetComputer) and then use multi-threaded GetNetLocalGroup on each machine.
Invoke-EnumerateLocalAdmin –Verbose
Find computers where a domain admin (or specified user/group) has sessions
This function queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of computers (Get-NetComputer) and list sessions and logged on users (GetNetSession/Get-NetLoggedon) from each machine.
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
to check admin access
Invoke-UserHunter -CheckAccess
Find computers where a domain admin is logged-in.
performs only on high valued targets
This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list only of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine.
Invoke-UserHunter -Stealth
Get actively logged users on a computer (needs local admin rights on
the target)
Get the last logged user on a computer (needs administrative rights and
remote registry on the target)
Get-LastLoggedOn –ComputerName <servername>
Defense
Netcease is a script which changes permissions on the NetSessionEnum method by removing permission for Authenticated Users group.
This fails many of the attacker's session enumeration and hence user hunting capabilities. .\NetCease.ps1
.\NetCease.ps1 -revert
find for sensitive texts like pass, password,etc in all files
search files in recycle bin also from shares
findstr.exe /spin "password" *.*
Services Issues using PowerUp
• Get services with unquoted paths and a space in their name.
Invoke-AllChecks
Get-ServiceUnquoted -Verbose
• Get services where the current user can write to its binary path or
change arguments to the binary
Get-ModifiableServiceFile -Verbose
• Get the services whose configuration current user can modify.
Get-ModifiableService -Verbose
Feature Abuse
You can miss-use Enterprise applications like Jenkins which mostly have admin privileges and find a way to run commands
Without logging in we can list users
Bloodhound
Bloodhound represents AD entities and relationships in the form of GUI
bloodhound requires ne04j
use suitable version v3 and v2 are incompatible to each other
upload zip files in bloodhound start mapping
you can use built-in queries
you can mark users as owned
you can find paths,etc
Invoke-BloodHound -CollectionMethod All -Verbose
Invoke-BloodHound -CollectionMethod LoggedOn -Verbose
Invoke-BloodHound -CollectionMethod All -ExcludeDC //less noisy
Another interesting script from the same author is SAMRi10 which hardens Windows 10 and Server 2016 against enumeration which uses SAMR protocol (like net.exe) •
There are various ways of locally escalating privileges on Windows box:
– Missing patches
– Automated deployment and AutoLogon passwords in clear text
– AlwaysInstallElevated (Any user can run MSI as SYSTEM)
– Misconfigured Services
– DLL Hijacking and more
• We can use below tools for complete coverage
– PowerUp:
– BeRoot: .\beRoot.exe
– Privesc: Invoke-PrivEsc
– WinPEAS: