Get-DomainUser - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/network/powerview/get_user Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Get-DomainUser
Module: powershell/situational_awareness/network/powerview/get_user
Source code [1]: empire/server/modules/powershell/situational_awareness/network/powerview/get_user.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/network/powerview.ps1
MITRE ATT&CK:
T1033, S0194
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The get_user module querys information for a given user or users in the specified domain. Part of PowerView.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the get_user module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the get_user module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the get_user module:
AdminCount
Switch. Return users with '(adminCount=1)' (meaning are/were privileged).
AllowDelegation
Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation'.
DisallowDelegation
Switch. Return user accounts that are marked as 'sensitive and not allowed for delegation'.
Domain
The domain to use for the query, defaults to the current domain.
FindOne
Only return one result object.
Identity
A SamAccountName, DistinguishedName, SID, GUID, or a dns host name, wildcards accepted.
LDAPFilter
Specifies an LDAP query string that is used to filter Active Directory objects.
OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String.
Suggested values: Out-String, ConvertTo-Json, ConvertTo-Csv, ConvertTo-Html, ConvertTo-Xml.
PreauthNotRequired
Switch. Return user accounts with "Do not require Kerberos preauthentication" set.
Properties
Specifies the properties of the output object to retrieve from the server.
ResultPageSize
Specifies the PageSize to set for the LDAP searcher object.
SPN
Switch. Only return user objects with non-null service principal names.
SearchBase
The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" Useful for OU queries.
SearchScope
Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
SecurityMasks
Specifies an option for examining security information of a directory object. One of "Dacl", "Group", "None", "Owner", "Sacl".
Server
Specifies an active directory server (domain controller) to bind to.
ServerTimeLimit
Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
Tombstone
Switch. Specifies that the search should also return deleted/tombstoned objects.
TrustedToAuth
Switch. Return computer objects that are trusted to authenticate for other principals.
Get_user Example Usage
Here's an example of how to use the get_user module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/network/powerview/get_user
Author @harmj0y
Background True
Comments https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
Description Query information for a given user or users in the specified domain.
Part of PowerView.
Language powershell
Name powershell/situational_awareness/network/powerview/get_user
NeedsAdmin False
OpsecSafe True
Software http://attack.mitre.org/software/S0194
Techniques http://attack.mitre.org/techniques/T1033
,Record Options------,------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|--------------------|------------|----------|-------------------------------------|
| AdminCount | | False | Switch. Return users with |
| | | | '(adminCount=1)' (meaning are/were |
| | | | privileged). |
|--------------------|------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|--------------------|------------|----------|-------------------------------------|
| AllowDelegation | | False | Switch. Return user accounts that |
| | | | are not marked as 'sensitive and |
| | | | not allowed for delegation' |
|--------------------|------------|----------|-------------------------------------|
| DisallowDelegation | | False | Switch. Return user accounts that |
| | | | are marked as 'sensitive and not |
| | | | allowed for delegation' |
|--------------------|------------|----------|-------------------------------------|
| Domain | | False | The domain to use for the query, |
| | | | defaults to the current domain. |
|--------------------|------------|----------|-------------------------------------|
| FindOne | | False | Only return one result object. |
|--------------------|------------|----------|-------------------------------------|
| Identity | | False | A SamAccountName, |
| | | | DistinguishedName, SID, GUID, or a |
| | | | dns host name, wildcards accepted. |
|--------------------|------------|----------|-------------------------------------|
| LDAPFilter | | False | Specifies an LDAP query string that |
| | | | is used to filter Active Directory |
| | | | objects. |
|--------------------|------------|----------|-------------------------------------|
| OutputFunction | Out-String | False | PowerShell's output function to use |
| | | | ("Out-String", "ConvertTo-Json", |
| | | | "ConvertTo-Csv", "ConvertTo-Html", |
| | | | "ConvertTo-Xml"). |
|--------------------|------------|----------|-------------------------------------|
| PreauthNotRequired | | False | Switch. Return user accounts with |
| | | | "Do not require Kerberos |
| | | | preauthentication" set. |
|--------------------|------------|----------|-------------------------------------|
| Properties | | False | Specifies the properties of the |
| | | | output object to retrieve from the |
| | | | server. |
|--------------------|------------|----------|-------------------------------------|
| ResultPageSize | | False | Specifies the PageSize to set for |
| | | | the LDAP searcher object. |
|--------------------|------------|----------|-------------------------------------|
| SPN | | False | Switch. Only return user objects |
| | | | with non-null service principal |
| | | | names |
|--------------------|------------|----------|-------------------------------------|
| SearchBase | | False | The LDAP source to search through, |
| | | | e.g. "LDAP://OU=secret,DC=testlab,D |
| | | | C=local" Useful for OU queries. |
|--------------------|------------|----------|-------------------------------------|
| SearchScope | | False | Specifies the scope to search |
| | | | under, Base/OneLevel/Subtree |
| | | | (default of Subtree) |
|--------------------|------------|----------|-------------------------------------|
| SecurityMasks | | False | Specifies an option for examining |
| | | | security information of a directory |
| | | | object. One of "Dacl", "Group", |
| | | | "None", "Owner", "Sacl". |
|--------------------|------------|----------|-------------------------------------|
| Server | | False | Specifies an active directory |
| | | | server (domain controller) to bind |
| | | | to |
|--------------------|------------|----------|-------------------------------------|
| ServerTimeLimit | | False | Specifies the maximum amount of |
| | | | time the server spends searching. |
| | | | Default of 120 seconds. |
|--------------------|------------|----------|-------------------------------------|
| Tombstone | | False | Switch. Specifies that the search |
| | | | should also return |
| | | | deleted/tombstoned objects. |
|--------------------|------------|----------|-------------------------------------|
| TrustedToAuth | | False | Switch. Return computer objects |
| | | | that are trusted to authenticate |
| | | | for other principals. |
'--------------------'------------'----------'-------------------------------------'
(Empire: usemodule/powershell/situational_awareness/network/powerview/get_user) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/network/powerview/get_user) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/network/powerview/get_user.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/network/powerview.ps1
- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
- http://attack.mitre.org/software/S0194
- http://attack.mitre.org/techniques/T1033
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/network/powerview/get_loggedon
- powershell/situational_awareness/network/powerview/get_cached_rdpconnection
- powershell/situational_awareness/network/powerview/get_subnet
- powershell/situational_awareness/network/powerview/get_ou
- powershell/situational_awareness/network/powerview/get_subnet_ranges
- powershell/situational_awareness/network/powerview/get_gpo_computer
- powershell/situational_awareness/network/powerview/get_forest
- powershell/situational_awareness/network/powerview/get_domain_controller
- powershell/situational_awareness/network/powerview/get_group
- powershell/situational_awareness/network/powerview/get_session
- powershell/situational_awareness/network/powerview/get_computer
- powershell/situational_awareness/network/powerview/get_domain_policy
- powershell/situational_awareness/network/powerview/get_gpo
- powershell/situational_awareness/network/powerview/get_domain_trust
- powershell/situational_awareness/network/powerview/get_forest_domain
- powershell/situational_awareness/network/powerview/get_fileserver
- powershell/situational_awareness/network/powerview/get_site
- powershell/situational_awareness/network/powerview/get_rdp_session
- powershell/situational_awareness/network/powerview/get_object_acl
- powershell/situational_awareness/network/powerview/get_localgroup
- powershell/situational_awareness/network/powerview/get_group_member
- powershell/situational_awareness/network/powerview/get_dfs_share
- powershell/situational_awareness/network/get_sql_server_info
- powershell/situational_awareness/network/get_kerberos_service_ticket
- powershell/situational_awareness/network/get_sql_instance_domain
- powershell/situational_awareness/network/get_spn
- powershell/situational_awareness/network/powermad/get_adidns_zone
- powershell/situational_awareness/network/powermad/get_adidns_permission
- powershell/management/sid_to_user
- powershell/situational_awareness/network/powerview/find_foreign_user
- powershell/situational_awareness/network/powerview/user_hunter
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
