Closed S3cur3Th1sSh1t closed 7 years ago
vrdse
commented
7 years ago Depending on the environment, you could simply enumerate local group members remotely. This was possible by default for every authenticated user until Windows 10 1607. PowerView\Get-NetLocalGroup would do the job, for instance. See http://www.harmj0y.net/blog/redteaming/local-group-enumeration/
But note, that you can't escalate local privileges with Invoke-Mimikatz. (or did I miss anything?)
S3cur3Th1sSh1t
commented
7 years ago Next phase after finding an interactive Login is Privilege Escalation; After that Cred-Dumping :) I meant that. I´ll try that tomorrow in our Lab and give Feedback, thanks.
HarmJ0y
commented
7 years ago Find-LocalAdminAccess wraps Test-AdminAccess, which uses the OpenSCManagerW call in order to do this enumeration quickly - there's not a way to specify a different group target. As @vrdse mentioned, you can use Get-NetLocalGroup to do some of this enumeration, or Get-DomainGPOUserLocalGroupMapping -LocalGroup RDP to attempt GPO-based membership correlation for a group besides local admins.
S3cur3Th1sSh1t
commented
7 years ago I wrote a little Skript based on Find-LocalAdminAccess & Get-NetLocalGroup, it works. Find-GPOLocation had no -Recurse function, a Comparison for the actual User was not possible.
Sometimes the Find-LocalAdminAccess Skript in Recon/Powerview doesnt give output, because the user is not Admin on remote AD-Systems.
I wonder if its possible to query for Systems with interactive Logon rights (RDP,SMB) but without local Admin rights, so that Privilege Escalation --> Invoke-Mimikatz helps for further Lateral Movement.
Check rights remotely with WMI or psexec/psremoting needs admin rights, so that doesnt help here. Some ideas?
Greetings