Get-admin doesn't work on remote computers

[trallgorm]

The get-admin step only returns the correct output when it is checking the machine it's running on. So if I have 3 VMs and I start the attack on one of the VMs it will output the correct admins for that VM, but if it tries to run get-admin on any of the other machines remotely, the stdOut is just blank. This prevents any lateral movement. I'm assuming this is some sort of firewall issue but I have no idea what to unblock to let it through.

[trallgorm]

Update: I was able to run PowerSploit and used Get-NetLocalGroup which returned the correct information for all hosts, including remote ones, so I no longer think it's a firewall issue.

[cl-mitre]

That is quite odd, then. Can you confirm that the output presented by the operation for running Get-NetLocalGroup is completely empty (the text under the step in operation view), and that the same account was used to run Get-NetLocalGroup manually as through Caldera? I think this might be a permissions issue.

[trallgorm]

@cl-mitre Solved the issue though I still don't understand the cause of it. I was bootstrapping the RAT as System. I tried starting the RAT manually with admin privileges and it fixed the issue. Strange, because when bootsrapping it the node was red, indicating it had administrator privileges.

[cl-mitre]

I think the issue here is that depending on a bunch of esoteric factors (mainly related to joining a domain), running as SYSTEM doesn't always equate to administrator privileges in the domain, which means that actions like Get-NetLocalGroup will fail, even if SYSTEM is a local administrator. Caldera lacks the ability to differentiate between domain and local administration in its current form, which explains why the node was red for you.

[unkempthenry]

I was actually looking at this the other day. Whether or not this will be successful depends on what permisssions are set on remote SAM access on the machine being enumerated (not on the machine the step is being executed from). Different windows versions have different default settings, but it can be modified via group policy or registry. More info: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls