Find-DomainUserLocation - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/network/powerview/user_hunter Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Find-DomainUserLocation
Module: powershell/situational_awareness/network/powerview/user_hunter
Source code [1]: empire/server/modules/powershell/situational_awareness/network/powerview/user_hunter.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/network/powerview.ps1
MITRE ATT&CK:
T1033, S0194
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes
The user_hunter module finds which machines users of a specified group are logged into. Part of PowerView.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the user_hunter module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the user_hunter module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the user_hunter module:
CheckAccess
Switch. Check if the current user has local admin access to found machines.
ComputerLDAPFilter
Host filter name to query AD for, wildcards accepted.
ComputerName
Hosts to enumerate.
ComputerOperatingSystem
Return computers with a specific operating system, wildcards accepted.
ComputerSearchBase
Specifies the LDAP source to search through for computers.
ComputerServicePack
Return computers with the specified service pack, wildcards accepted.
ComputerSiteName
Return computers in the specific AD Site name, wildcards accepted.
Delay
Delay between enumerating hosts, defaults to 0.
Domain
The domain to use for the query, defaults to the current domain.
Jitter
Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3.
OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String.
Suggested values: Out-String, ConvertTo-Json, ConvertTo-Csv, ConvertTo-Html, ConvertTo-Xml.
ResultPageSize
Specifies the PageSize to set for the LDAP searcher object.
SearchScope
Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
Server
Active Directory server (domain controller) to reflect LDAP queries through.
ServerTimeLimit
Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
ShowAll
Switch. Return all user location results without filtering.
Stealth
Switch. Only enumerate sessions from connonly used target servers.
StealthSource
The source of target servers to use, 'DFS' (distributed file servers),.
StopOnSuccess
Switch. Stop hunting after finding after finding a target user.
Threads
The maximum concurrent threads to execute.
Tombstone
Switch. Specifies that the search should also return deleted/tombstoned objects.
Default value: False.
UserAdminCount
Switch. Search for users users with '(adminCount=1)' (meaning are/were privileged).
UserAllowDelegation
Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation'.
UserDomain
Specifies the domain to query for users to search for, defaults to the current domain.
UserGroupIdentity
Group name to query for target users.
UserIdentity
Specific username to search for.
UserLDAPFilter
A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*).
UserSearchBase
Specifies the LDAP source to search through for target users.
User_hunter Example Usage
Here's an example of how to use the user_hunter module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/network/powerview/user_hunter
Author @harmj0y
Background True
Comments https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
Description Finds which machines users of a specified group are logged into. Part
of PowerView.
Language powershell
Name powershell/situational_awareness/network/powerview/user_hunter
NeedsAdmin False
OpsecSafe True
Software http://attack.mitre.org/software/S0194
Techniques http://attack.mitre.org/techniques/T1033
,Record Options-----------,------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|-------------------------|------------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|-------------------------|------------|----------|-------------------------------------|
| CheckAccess | | False | Switch. Check if the current user |
| | | | has local admin access to found |
| | | | machines. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerLDAPFilter | | False | Host filter name to query AD for, |
| | | | wildcards accepted. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerName | | False | Hosts to enumerate. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerOperatingSystem | | False | Return computers with a specific |
| | | | operating system, wildcards |
| | | | accepted. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerSearchBase | | False | Specifies the LDAP source to search |
| | | | through for computers |
|-------------------------|------------|----------|-------------------------------------|
| ComputerServicePack | | False | Return computers with the specified |
| | | | service pack, wildcards accepted. |
|-------------------------|------------|----------|-------------------------------------|
| ComputerSiteName | | False | Return computers in the specific AD |
| | | | Site name, wildcards accepted. |
|-------------------------|------------|----------|-------------------------------------|
| Delay | | False | Delay between enumerating hosts, |
| | | | defaults to 0. |
|-------------------------|------------|----------|-------------------------------------|
| Domain | | False | The domain to use for the query, |
| | | | defaults to the current domain. |
|-------------------------|------------|----------|-------------------------------------|
| Jitter | | False | Specifies the jitter (0-1.0) to |
| | | | apply to any specified -Delay, |
| | | | defaults to +/- 0.3. |
|-------------------------|------------|----------|-------------------------------------|
| OutputFunction | Out-String | False | PowerShell's output function to use |
| | | | ("Out-String", "ConvertTo-Json", |
| | | | "ConvertTo-Csv", "ConvertTo-Html", |
| | | | "ConvertTo-Xml"). |
|-------------------------|------------|----------|-------------------------------------|
| ResultPageSize | | False | Specifies the PageSize to set for |
| | | | the LDAP searcher object. |
|-------------------------|------------|----------|-------------------------------------|
| SearchScope | | False | Specifies the scope to search |
| | | | under, Base/OneLevel/Subtree |
| | | | (default of Subtree) |
|-------------------------|------------|----------|-------------------------------------|
| Server | | False | Active Directory server (domain |
| | | | controller) to reflect LDAP queries |
| | | | through. |
|-------------------------|------------|----------|-------------------------------------|
| ServerTimeLimit | | False | Specifies the maximum amount of |
| | | | time the server spends searching. |
| | | | Default of 120 seconds. |
|-------------------------|------------|----------|-------------------------------------|
| ShowAll | | False | Switch. Return all user location |
| | | | results without filtering. |
|-------------------------|------------|----------|-------------------------------------|
| Stealth | | False | Switch. Only enumerate sessions |
| | | | from connonly used target servers. |
|-------------------------|------------|----------|-------------------------------------|
| StealthSource | | False | The source of target servers to |
| | | | use, 'DFS' (distributed file |
| | | | servers), |
|-------------------------|------------|----------|-------------------------------------|
| StopOnSuccess | | False | Switch. Stop hunting after finding |
| | | | after finding a target user. |
|-------------------------|------------|----------|-------------------------------------|
| Threads | | False | The maximum concurrent threads to |
| | | | execute. |
|-------------------------|------------|----------|-------------------------------------|
| Tombstone | False | False | Switch. Specifies that the search |
| | | | should also return |
| | | | deleted/tombstoned objects. |
|-------------------------|------------|----------|-------------------------------------|
| UserAdminCount | | False | Switch. Search for users users with |
| | | | '(adminCount=1)' (meaning are/were |
| | | | privileged). |
|-------------------------|------------|----------|-------------------------------------|
| UserAllowDelegation | | False | Switch. Return user accounts that |
| | | | are not marked as 'sensitive and |
| | | | not allowed for delegation' |
|-------------------------|------------|----------|-------------------------------------|
| UserDomain | | False | Specifies the domain to query for |
| | | | users to search for, defaults to |
| | | | the current domain. |
|-------------------------|------------|----------|-------------------------------------|
| UserGroupIdentity | | False | Group name to query for target |
| | | | users. |
|-------------------------|------------|----------|-------------------------------------|
| UserIdentity | | False | Specific username to search for. |
|-------------------------|------------|----------|-------------------------------------|
| UserLDAPFilter | | False | A customized ldap filter string to |
| | | | use for user enumeration, e.g. |
| | | | "(description=*admin*)" |
|-------------------------|------------|----------|-------------------------------------|
| UserSearchBase | | False | Specifies the LDAP source to search |
| | | | through for target users. |
'-------------------------'------------'----------'-------------------------------------'
(Empire: usemodule/powershell/situational_awareness/network/powerview/user_hunter) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/network/powerview/user_hunter) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/network/powerview/user_hunter.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/network/powerview.ps1
- https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/
- http://attack.mitre.org/software/S0194
- http://attack.mitre.org/techniques/T1033
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/network/powerview/get_loggedon
- powershell/situational_awareness/network/powerview/get_cached_rdpconnection
- powershell/situational_awareness/network/powerview/find_foreign_user
- powershell/situational_awareness/network/powerview/find_gpo_computer_admin
- powershell/situational_awareness/network/powerview/get_subnet
- powershell/situational_awareness/network/powerview/get_ou
- powershell/situational_awareness/network/powerview/get_subnet_ranges
- powershell/situational_awareness/network/powerview/get_gpo_computer
- powershell/situational_awareness/network/powerview/get_forest
- powershell/situational_awareness/network/powerview/get_domain_controller
- powershell/situational_awareness/network/powerview/find_localadmin_access
- powershell/situational_awareness/network/powerview/find_foreign_group
- powershell/situational_awareness/network/powerview/get_group
- powershell/situational_awareness/network/powerview/get_session
- powershell/situational_awareness/network/powerview/get_computer
- powershell/situational_awareness/network/powerview/set_ad_object
- powershell/situational_awareness/network/powerview/get_domain_policy
- powershell/situational_awareness/network/powerview/get_gpo
- powershell/situational_awareness/network/powerview/get_domain_trust
- powershell/situational_awareness/network/powerview/get_forest_domain
- powershell/situational_awareness/network/powerview/map_domain_trust
- powershell/situational_awareness/network/powerview/get_fileserver
- powershell/situational_awareness/network/powerview/process_hunter
- powershell/situational_awareness/network/powerview/get_site
- powershell/situational_awareness/network/powerview/get_rdp_session
- powershell/situational_awareness/network/powerview/get_object_acl
- powershell/situational_awareness/network/powerview/get_localgroup
- powershell/situational_awareness/network/powerview/share_finder
- powershell/situational_awareness/network/powerview/get_group_member
- powershell/situational_awareness/network/powerview/get_user
- powershell/situational_awareness/network/powerview/find_gpo_location
- powershell/situational_awareness/network/powerview/get_dfs_share
- powershell/situational_awareness/network/powerview/find_managed_security_group
- powershell/management/user_to_sid
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.
