Closed Meatballs1 closed 8 years ago
HarmJ0y
commented
8 years ago Not sure on how accurate/effective this would be, but can try to whip up some test PoC this week on assessment to check it out. So idea would just be Get-NetUser and filter on users with userprincipalname not ending with the fqdn of the domain queried?
Meatballs1
commented
8 years ago yeah that was my thought, we have been hitting domains with large amounts of users, 10k+. which make us reluctant to use methods which retrieve all users etc :)
I tried it, but didn't get any hits, but that could just be because there is none and didn't verify with the vanilla technique.
HarmJ0y
commented
8 years ago Good point, will try to keep in mind to check that out on any engagements coming up.
Since it's a different approach (foreign users in a domain vs. users in foreign groups), would it warrant a different cmdlet name? Also, any idea for better names for Find-UserTrustGroup and Find-GroupTrustUser? I know they're confusing, but struggling to articulate the description in a short cmdlet name haha.
HarmJ0y
commented
8 years ago Unfortunately I don't think that wildcards are possible on member or member of :(
I have been doing some additional LDAP optimizing and speedups, so Find-GroupTrustUser should have about a 3-4x speedup, but it still needs to pull full group data objects from the given domain unfortunately.
We didn't see any matches for the userprincipalname approach on our last engagement, so I'm thinking about putting this approach on hold until we see it flag in an env once.
Is it possible to identify foreign users based on the userprincipalname?
Wildcards are not possible on the DN or the SID.