Pentester's Promiscuous Notebook
Blog
GitHub
Twitter
Search…
README
⚒️ Pentest
C2
Infrastructure
AD
ACL Abuse
AD CS Abuse
ADIDNS Abuse
Attack Trusts
AV / EDR Evasion
Authentication Coercion
Azure
Credentials Dump
DCSync
Delegation Abuse
Discovery
DnsAdmins
Dominance
GPO Abuse
Kerberos
Key Credentials Abuse
LAPS
Lateral Movement
LDAP
NTLM
Password Spraying
Post Exploitation
PrivExchange
Privileges Abuse
RID Cycling
Roasting
SCCM Abuse
SMB
RPC
Token Manipulation
User Hunt
WSUS
Zerologon
DevOps
DBMS
Authentication Brute Force
File Transfer
IPMI
Kiosk Breakout
Low-Hanging Fruits
LPE
Networks
NFS
Persistence
Pivoting
Post Exploitation
SNMP
TFTP
VNC
Misc
OSINT
Password Brute Force
Perimeter
Shells
Web
Wi-Fi
⚔️ Red Team
Basics
Cobalt Strike
Infrastructure
Malware Development
SE
⚙️ Admin
Git
Linux
Networking
Virtualization
Windows
Powered By
GitBook
User Hunt
http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
https://www.slideshare.net/harmj0y/i-hunt-sys-admins-20
PS > Find-DomainUserLocation -UserIdentity snovvcrash
Sessions Enum
http://www.harmj0y.net/blog/powershell/powershell-and-win32-api-access/
http://www.harmj0y.net/blog/powershell/powerquinsta/
Derivative Local Admins
http://www.harmj0y.net/blog/redteaming/local-group-enumeration/
https://medium.com/@sixdub/derivative-local-admin-cdd09445aac8
https://wald0.com/?p=14
http://www.offensiveops.io/tools/bloodhound-working-with-results/
Pen Testing Active Directory Environments (Varonis).pdf
3MB
PDF
Logon Events
https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/blob/5175f64c111ffcc13250e3cf818f05ca46654af5/wmiutility.cs#L194
Search for IPs from where the user of interest logged on to current machine (event
4624
):
PS > Get-EventLog Security -InstanceId 4624 | ? {$_.Message.Contains("snovvcrash")} | select -First 10 | fl * | Out-File C:\Windows\Temp\user.dat
Previous
Token Manipulation
Next
WSUS
Last modified
2mo ago
Copy link
Outline
Sessions Enum
Derivative Local Admins
Logon Events