User Hunting

Find all machines on the current domain where current user has local admin access

Very Noisy! (Tries to access all computers in current domain to check if the current user has admin access)

Find-LocalAdminAccess -Verbose

When RCP and SMB used by Find-LocalAdminAccess are blocked, check remote administration tools like WMI, Powershell remoting that are scripted in Find-WMILocalAdminAcess.ps1, and Find-PSRemotingLocalAdminAccess.ps1.

Find a Computer where current user has admin access using PSRemoting

PS C:\AD\Tools> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess

After finding a computer (dcorp-adminsrv) where current user has admin access, we can access it using "winrs"

C:\AD\Tools>winrs -r:dcorp-adminsrv cmd
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

#Show environment variables to confirm shell as dcorp-adminsrv

C:\Users\studentx> set username
set username
USERNAME=studentx
C:\Users\studentx>set computername
computername
COMPUTERNAME=dcorp-adminsrv

#Use PowerShell Remoting:

PS C:\AD\Tools> Enter-PSSession -ComputerName dcorpadminsrv.dollarcorp.moneycorp.local
PS C:\AD\Tools> [dcorpadminsrv.dollarcorp.moneycorp.local]C:\Users\studentx\Documents>$env:username
dcorp\studentx

Find Computers where a domain admin (or specfied user/group) has sessions

Note: This needs local admin privs to run.

Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"

Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess).

Find-DomainUserLocation -CheckAccess

Find computers (File Servers and Distributed File servers) where a domain admin session is available.

Find-DomainUserLocation -Stealth

List Sessions on remote machines

Invoke-SessionHunter -FailSafe

Note: Above command doesn’t need admin access on remote machines. Uses Remote Registry and queries HKEY_USERS hive.

List Session on specific remote machines (Opsec Friendly)

Invoke-SessionHunter -NoPortScan -Targets C:\servers.txt
PreviousTrustsNextDomain Privilege Escalation

Last updated