User Hunting
Find Machines in the Current Domain Where the Current User Has Local Admin Access
I should note that Find-LocalAdminAccess can be quite noisy...
Find-LocalAdminAccess -Verbose # PowerView
Invoke-CheckLocalAdminAccess -ComputerName <target-computer> # PowerView
. .\Find-WMILocalAdminAccess.ps1
Find-WMILocalAdminAccess [-ComputerFile <file>]
. .\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
Using pywerview.py
python pywerview.py Invoke-CheckLocalAdminAccess -w bizcorp.local -u <user> -p <pass> --computername <target-computer> [--check-access]
Find Local Admins on All Machines in the Domain (needs local admin privs on non-DC machines)
Invoke-EnumerateLocalAdmin -Verbose # PowerView)
Find a Computer Where a Domain Admin (or a Specified User) Has a Session
This command can be quite noisy as well...
Invoke-UserHunter [-GroupName "<group>"] [-Stealth] # PowerView
Invoke-UserHunter -CheckAccess [-UserName <user>]
# If you check all computers EXCEPT the DC, you should be able to bypass ATA if sessions to the DC do not matter to you
Invoke-UserHunter -ComputerFile <computers_except_DC.txt> [-GroupName "<group>"] [-UserName <user>]
Using Pywerview.py
python pywerview.py invoke-userhunter -w <domain> -u <user> -p <pass> -t <dc> [--groupname <group>] [--computername <computer>] [--computerfile <list-of-computers>]
Last updated