# User Hunting **Find all machines on the current domain where current user has local admin access** **Very Noisy!** (Tries to access all computers in current domain to check if the current user has admin access) {% code overflow="wrap" %} ```powershell Find-LocalAdminAccess -Verbose ``` {% endcode %} When RCP and SMB used by Find-LocalAdminAccess are blocked, check remote administration tools like WMI, Powershell remoting that are scripted in **Find-WMILocalAdminAcess.ps1,** and **Find-PSRemotingLocalAdminAccess.ps1**. **Find a Computer where current user has admin access using PSRemoting** {% code overflow="wrap" %} ```powershell PS C:\AD\Tools> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1 PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess ``` {% endcode %} **After finding a computer (dcorp-adminsrv) where current user has admin access, we can access it using "winrs"** {% code overflow="wrap" %} ```powershell C:\AD\Tools>winrs -r:dcorp-adminsrv cmd Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. #Show environment variables to confirm shell as dcorp-adminsrv C:\Users\studentx> set username set username USERNAME=studentx C:\Users\studentx>set computername computername COMPUTERNAME=dcorp-adminsrv #Use PowerShell Remoting: PS C:\AD\Tools> Enter-PSSession -ComputerName dcorpadminsrv.dollarcorp.moneycorp.local PS C:\AD\Tools> [dcorpadminsrv.dollarcorp.moneycorp.local]C:\Users\studentx\Documents>$env:username dcorp\studentx ``` {% endcode %} **Find Computers where a domain admin (or specfied user/group) has sessions** **Note:** This needs local admin privs to run. {% code overflow="wrap" %} ```powershell Find-DomainUserLocation -Verbose Find-DomainUserLocation -UserGroupIdentity "RDPUsers" ``` {% endcode %} **Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess).** {% code overflow="wrap" %} ```powershell Find-DomainUserLocation -CheckAccess ``` {% endcode %} **Find computers (File Servers and Distributed File servers) where a domain admin session is available.** ```powershell Find-DomainUserLocation -Stealth ``` **List Sessions on remote machines** {% embed url="" %} {% code overflow="wrap" %} ```powershell Invoke-SessionHunter -FailSafe ``` {% endcode %} Note: Above command doesn’t need admin access on remote machines. Uses Remote Registry and queries HKEY\_USERS hive. **List Session on specific remote machines** (Opsec Friendly) {% code overflow="wrap" %} ```powershell Invoke-SessionHunter -NoPortScan -Targets C:\servers.txt ``` {% endcode %}