User Hunting

Find Machines in the Current Domain Where the Current User Has Local Admin Access

• I should note that Find-LocalAdminAccess can be quite noisy...

Find-LocalAdminAccess -Verbose # PowerView
Invoke-CheckLocalAdminAccess -ComputerName <target-computer> # PowerView

. .\Find-WMILocalAdminAccess.ps1
Find-WMILocalAdminAccess [-ComputerFile <file>]

. .\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess

• Using pywerview.py

python pywerview.py Invoke-CheckLocalAdminAccess -w bizcorp.local -u <user> -p <pass> --computername <target-computer> [--check-access]

Find Local Admins on All Machines in the Domain (needs local admin privs on non-DC machines)

Invoke-EnumerateLocalAdmin -Verbose # PowerView)

Find a Computer Where a Domain Admin (or a Specified User) Has a Session

• This command can be quite noisy as well...

Invoke-UserHunter [-GroupName "<group>"] [-Stealth] # PowerView
Invoke-UserHunter -CheckAccess [-UserName <user>]

# If you check all computers EXCEPT the DC, you should be able to bypass ATA if sessions to the DC do not matter to you
Invoke-UserHunter -ComputerFile <computers_except_DC.txt> [-GroupName "<group>"] [-UserName <user>]

• Using Pywerview.py

python pywerview.py invoke-userhunter -w <domain> -u <user> -p <pass> -t <dc> [--groupname <group>] [--computername <computer>] [--computerfile <list-of-computers>]