Derivative Local Admin


User hunting is the process of tracking down where users are logged in or have a session in the network. By locating their login or session, you might be able to gain access to that Machine, privesc (if required), and operate in the context of the new user. This is obviously most helpful with elevated user accounts.

How User Hunting Works

Below the hood, the user hunting functions in PowerView are relatively straight forward and worth a read. For Invoke-UserHunter, the script will first query the members of the target group (“Domain Admins” by default). Next, the script will query the domain for all machines using Get-NetComputers. Finally, the script will perform a Get-NetSessions and Get-NetLoggedOn against every host in the list and look for the users previously queried. While this technique provides the most coverage, it has the possibility of being slow and noisy-ish depending on the network (though we rarely get caught with it).

Where this gets difficult: Delegated groups

More and more I have seen enterprises move to a system of heavily delegated groups and roles within Active Directory. In this case, the local administrators of your target might be domain groups that contain 10s or 100s of other users. Also, the groups will typically be functional and relate to the type of system being targeted. For example, servers might have the local admin group of “Server Admins” while most workstations might have “Workstation Admin”. Also, network operations personnel and security people often have a local administrator group specific to the SOC or their organization.

Derivative Local Admin

To answer this, I think it is worth explaining the concept that I refer to as derivative local admin. Imagine we have a target system named “WorkstationA” that has the domain group “Network Ops” as a member of its local administrators group. Inside of the “Network Ops” group there is a user “Fred”, who on his machine “WorkstationB” has the domain group “Workstation Admins” as a member of its local admins. If there is a user “Sally” who is in the “Workstation Admins” domain group, she is a Derivative Local Admin of the original “WorkstationA”.

The Process of “Walking Back” the Local Admins

Now that you get the concept, let’s walk through a scenario with some actual PowerView functions. Basically, we will start on the same foothold system, and use “Get-NetLocalGroup” and “Invoke-StealthUserHunter -ShowAll” to work our way backwards. Same scenario as above!

  1. Invoke-StealthUserHunter -ShowAll finds a Domain Admin logged in on WorkstationA
  2. We do a Get-NetLocalGroup WorkstationA and see that there is a group “Network Ops” on it
  3. We use Get-NetGroup “Network Ops” to enumerate users we want to target next. We see “Fred” is a member of this domain group, and match this up with our previous user hunting data to see that he’s logged in to WorkstationB
  4. We run a Get-NetLocalGroup WorkstationB to find that there is a group “Workstation Admins”
  5. We use our credentials to gain access to WorkstationB with WMI or PSExec and the agent of your choice
  6. We use Invoke-Mimikatz to dump the credentials from WorkstationB and find Fred’s credentials
  7. We use Fred’s credentials to gain access to WorkstationA
  8. We use Invoke-Mimikatz to dump credentials and retrieve the Domain Admin creds!

A Little Bit of Analytics

If you are not in a constrained scenario, very large enterprise network, or worried about making a little noise, the Invoke-EnumerateLocalAdmins -OutFile <file.csv> function can be very helpful. This function will perform a Get-NetLocalGroup against every system in the domain and output the results in CSV format. With this, and some enrichment data from the domain (user hunt data, user/group info), you could paint a picture of how to get from one system to another using entirely derivative local admin abuse.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store