Find-LocalAdminAccess - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/network/powerview/find_localadmin_access Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Find-LocalAdminAccess
Module: powershell/situational_awareness/network/powerview/find_localadmin_access
Source code [1]: empire/server/modules/powershell/situational_awareness/network/powerview/find_localadmin_access.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/network/powerview.ps1
MITRE ATT&CK:
T1069, S0194
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The find_localadmin_access module finds machines on the local domain where the current user has local administrator access. Part of PowerView.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the find_localadmin_access module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the find_localadmin_access module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the find_localadmin_access module:
CheckShareAccess
Switch. Only display found shares that the local user has access to.
ComputerDomain
Specifies the domain to query for computers, defaults to the current domain.
ComputerLDAPFilter
Specifies an LDAP query string that is used to search for computer objects.
ComputerName
Hosts to enumerate, comma separated.
ComputerOperatingSystem
Searches computers with a specific operating system. Wildcards accepted.
ComputerSearchBase
Specifies the LDAP source to search through for computers.
ComputerServicePack
Search computers with a specific service pack.
ComputerSiteName
Search computers in the specific AD site name, wildcards accepted.
OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String.
Suggested values: Out-String, ConvertTo-Json, ConvertTo-Csv, ConvertTo-Html, ConvertTo-Xml.
ResultPageSize
Specifies the PageSize to set for the LDAP searcher object.
SearchScope
Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
Server
Specifies an active directory server (domain controller) to bind to.
ServerTimeLimit
Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
Tombstone
Switch. Specifies that the search should also return deleted/tombstoned objects.
Find_localadmin_access Example Usage
Here's an example of how to use the find_localadmin_access module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/network/powerview/find_localadmin_access
Author @harmj0y
Background True
Comments https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
Description Finds machines on the local domain where the current user has local
administrator access. Part of PowerView.
Language powershell
Name powershell/situational_awareness/network/powerview/find_localadmin_acc
ess
NeedsAdmin False
OpsecSafe True
Software http://attack.mitre.org/software/S0194
Techniques http://attack.mitre.org/techniques/T1069
,Record Options-----------,------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|-------------------------|------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|-------------------------|------------|----------|-------------------------------------|
| CheckShareAccess | | False | Switch. Only display found shares |
| | | | that the local user has access to. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerDomain | | False | Specifies the domain to query for |
| | | | computers, defaults to the current |
| | | | domain. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerLDAPFilter | | False | Specifies an LDAP query string that |
| | | | is used to search for computer |
| | | | objects. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerName | | False | Hosts to enumerate, comma |
| | | | separated. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerOperatingSystem | | False | Searches computers with a specific |
| | | | operating system. Wildcards |
| | | | accepted. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerSearchBase | | False | Specifies the LDAP source to search |
| | | | through for computers |
|-------------------------|------------|----------|-------------------------------------|
| ComputerServicePack | | False | Search computers with a specific |
| | | | service pack |
|-------------------------|------------|----------|-------------------------------------|
| ComputerSiteName | | False | Search computers in the specific AD |
| | | | site name, wildcards accepted. |
|-------------------------|------------|----------|-------------------------------------|
| OutputFunction | Out-String | False | PowerShell's output function to use |
| | | | ("Out-String", "ConvertTo-Json", |
| | | | "ConvertTo-Csv", "ConvertTo-Html", |
| | | | "ConvertTo-Xml"). |
|-------------------------|------------|----------|-------------------------------------|
| ResultPageSize | | False | Specifies the PageSize to set for |
| | | | the LDAP searcher object. |
|-------------------------|------------|----------|-------------------------------------|
| SearchScope | | False | Specifies the scope to search |
| | | | under, Base/OneLevel/Subtree |
| | | | (default of Subtree) |
|-------------------------|------------|----------|-------------------------------------|
| Server | | False | Specifies an active directory |
| | | | server (domain controller) to bind |
| | | | to |
|-------------------------|------------|----------|-------------------------------------|
| ServerTimeLimit | | False | Specifies the maximum amount of |
| | | | time the server spends searching. |
| | | | Default of 120 seconds. |
|-------------------------|------------|----------|-------------------------------------|
| Tombstone | | False | Switch. Specifies that the search |
| | | | should also return |
| | | | deleted/tombstoned objects. |
'-------------------------'------------'----------'-------------------------------------'
(Empire: usemodule/powershell/situational_awareness/network/powerview/find_localadmin_access) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/network/powerview/find_localadmin_access) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/network/powerview/find_localadmin_access.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/network/powerview.ps1
- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
- http://attack.mitre.org/software/S0194
- http://attack.mitre.org/techniques/T1069
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/network/powerview/find_foreign_user
- powershell/situational_awareness/network/powerview/find_gpo_computer_admin
- powershell/situational_awareness/network/powerview/find_foreign_group
- powershell/situational_awareness/network/powerview/find_gpo_location
- powershell/situational_awareness/network/powerview/find_managed_security_group
- powershell/situational_awareness/network/powerview/get_loggedon
- powershell/situational_awareness/network/powerview/get_cached_rdpconnection
- powershell/situational_awareness/network/powerview/get_subnet
- powershell/situational_awareness/network/powerview/get_ou
- powershell/situational_awareness/network/powerview/get_subnet_ranges
- powershell/situational_awareness/network/powerview/get_gpo_computer
- powershell/situational_awareness/network/powerview/get_forest
- powershell/situational_awareness/network/powerview/get_domain_controller
- powershell/situational_awareness/network/powerview/user_hunter
- powershell/situational_awareness/network/powerview/get_group
- powershell/situational_awareness/network/powerview/get_session
- powershell/situational_awareness/network/powerview/get_computer
- powershell/situational_awareness/network/powerview/set_ad_object
- powershell/situational_awareness/network/powerview/get_domain_policy
- powershell/situational_awareness/network/powerview/get_gpo
- powershell/situational_awareness/network/powerview/get_domain_trust
- powershell/situational_awareness/network/powerview/get_forest_domain
- powershell/situational_awareness/network/powerview/map_domain_trust
- powershell/situational_awareness/network/powerview/get_fileserver
- powershell/situational_awareness/network/powerview/process_hunter
- powershell/situational_awareness/network/powerview/get_site
- powershell/situational_awareness/network/powerview/get_rdp_session
- powershell/situational_awareness/network/powerview/get_object_acl
- powershell/situational_awareness/network/powerview/get_localgroup
- powershell/situational_awareness/network/powerview/share_finder
- powershell/situational_awareness/network/powerview/get_group_member
- powershell/situational_awareness/network/powerview/get_user
- powershell/situational_awareness/network/powerview/get_dfs_share
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
