# User Hunting **Find all machines on the current domain where current user has local admin access** **Very Noisy!** (Tries to access all computers in current domain to check if the current user has admin access) {% code overflow="wrap" %} ```powershell Find-LocalAdminAccess -Verbose ``` {% endcode %} When RCP and SMB used by Find-LocalAdminAccess are blocked, check remote administration tools like WMI, Powershell remoting that are scripted in **Find-WMILocalAdminAcess.ps1,** and **Find-PSRemotingLocalAdminAccess.ps1**. **Find a Computer where current user has admin access using PSRemoting** {% code overflow="wrap" %} ```powershell PS C:\AD\Tools> . C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1 PS C:\AD\Tools> Find-PSRemotingLocalAdminAccess ``` {% endcode %} **After finding a computer (dcorp-adminsrv) where current user has admin access, we can access it using "winrs"** {% code overflow="wrap" %} ```powershell C:\AD\Tools>winrs -r:dcorp-adminsrv cmd Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. #Show environment variables to confirm shell as dcorp-adminsrv C:\Users\studentx> set username set username USERNAME=studentx C:\Users\studentx>set computername computername COMPUTERNAME=dcorp-adminsrv #Use PowerShell Remoting: PS C:\AD\Tools> Enter-PSSession -ComputerName dcorpadminsrv.dollarcorp.moneycorp.local PS C:\AD\Tools> [dcorpadminsrv.dollarcorp.moneycorp.local]C:\Users\studentx\Documents>$env:username dcorp\studentx ``` {% endcode %} **Find Computers where a domain admin (or specfied user/group) has sessions** **Note:** This needs local admin privs to run. {% code overflow="wrap" %} ```powershell Find-DomainUserLocation -Verbose Find-DomainUserLocation -UserGroupIdentity "RDPUsers" ``` {% endcode %} **Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess).** {% code overflow="wrap" %} ```powershell Find-DomainUserLocation -CheckAccess ``` {% endcode %} **Find computers (File Servers and Distributed File servers) where a domain admin session is available.** ```powershell Find-DomainUserLocation -Stealth ``` **List Sessions on remote machines** {% embed url="" %} {% code overflow="wrap" %} ```powershell Invoke-SessionHunter -FailSafe ``` {% endcode %} Note: Above command doesn’t need admin access on remote machines. Uses Remote Registry and queries HKEY\_USERS hive. **List Session on specific remote machines** (Opsec Friendly) {% code overflow="wrap" %} ```powershell Invoke-SessionHunter -NoPortScan -Targets C:\servers.txt ``` {% endcode %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/domain-enumeration/user-hunting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.