During Red Team engagements it is common to track/hunt specific users. Assuming we already have access to a desktop as a normal user (no matter how, always “assume compromise”) in a Windows Domain and we want to spread laterally.
We want to know where the user is logged on, if he is a local administrator in any box, to which groups he belongs, if he has access to file shares, and so on. Enumerating hosts, users, and groups will also help to get a better understanding of the Domain layout.
You might be thinking, “use Powerview”. Lately, one of the most common problems I encounter during Red Team exercises is the fact that PowerShell is heavily monitored. If you use it, you’ll get caught, sooner or later. By now everyone is well aware how powerful PowerShell is, including Blue Teams and Security Vendors.
There are multiple ways to work around this. To avoid using multiple old school tools (psloggedon.exe, netsess.exe, nltest, netview, among others) and to reduce the amount of tools uploaded to compromised systems I created a simple tool that doesn’t require Administrative privileges to run and collect the information listed below, and relies only on the Windows API.
You might end up dealing with white list bypasses (however, based on my experience, its easier to find an environment with PowerShell properly locked down and heavily monitored than an environment with proper whitelisting implemented). Anyway, to avoid entering the “if’s world” let’s leave this discussion for another day and keep this post short.
If you are asking yourself, “wouldn’t these queries also trigger security events”? Yes, eventually. However, at the moment they will most likely slip under the radar when compared with PowerShell, since PowerShell is getting a lot of attention these days.
Blue Teams with Advanced Threat Analytics (ATA), or SIEMs, can also see Red Teams enumerating sessions via ‘net session’, PowerShell, or (l)user hunter. However, if the plan is to avoid ATA just make sure you don’t “touch” the Domain Controller(s).
Moving forward, I would like to eventually rewrite the ‘min’ and ‘max’ values delay between queries. In the meantime though we can still keep enumerating users, sessions, etc. “low and slow” without using PowerShell.
- Retrieves current configuration information for the specified server (via list of hosts or domain enumeration).
- OS Version
- Server Type (DC, Backup DC, Workstation or Server, Terminal Server, MSSQL Server)
- Lists information about all users currently logged on to the workstation.
- interactive, service and batch logons.
- Lists information about sessions established on a server.
- Retrieves information about each shared resource on a server.
- checks if current user as read access.
- Returns results for the NS_DNS namespace, IPv4 protocol.
- Checks if current user is an Administrator on a server.
- Retrieves information about all user accounts on a server or DC.
- Retrieves a list of global groups to which a specified user belongs on a server or DC.
- Retrieves information about each global group in the security database, SAM database or Active Directory.
- Retrieves a list of the members in a particular global group in the security database, SAM database or Active Directory.
- Retrieves information about a particular user account on a server or DC.
- Enumerate the domain controllers in the local domain.
Additionally, for hosts enumeration there’s a minimum and maximum delay value in seconds you can add to avoid detection/noise.
Expect further developments, specially on the ‘error handling’ side and ‘look and feel’. I have a few more ideas that I would like to incorporate.
For usage examples refer to the GitHub repository, where I added some screenshots.
2016-12-03 08:12 +0000