SecuriTreeHome

SecuriTree

  • Windows Security
    • Post-exploitation
      • Network Tunneling
        (Ligolo-ng, Chisel)
      • Reverse Shell
      • System Manipulation
      • File Transfer
    • Lateral Movement
      • Common Problems
        • Double Hop
        • Remote UAC
      • Techniques
        • Access Token Manipulation
          (RunAs, RunasCs)
        • Pass-the-Ticket (Kerberos)
          (Rubeus, getTGT)
      • Technologies
        • MS-RPC
          • MS-DCOM
          • MS-RRP
          • MS-SCMR
            (PsExec, SmbExec, ScExec)
          • MS-TSCH
          • MS-WMI
            (WmiExec)
        • RDP
        • WinRM
          (winrs, PS Remoting)
    • Domain Privesc
      • ACL Abuse
      • AD Delegation Abuse
        • Constrained Delegation
        • Resource-Based Constrained Delegation
        • Unconstrained Delegation
      • AS-Rep Roasting
      • Certificate Service Abuse
      • Credentials Dump
        • DCSync
        • LSASS Memory
        • Local SAM
        • Windows Vault
      • Group Policies
      • Information to steal
        (files, logs, processes, ...)
      • Kerberoasting
      • Local Admin Hunting
      • MSSQL Abuse
      • NTLM Hash Stealing
      • NTLM Relay
      • Password Spraying
      • RDP Hijacking
      • Tasks and Services Abuse
    • Reconnaissance
      • Active Directory
      • DNS
      • LDAP
      • NetBIOS
      • NFS
      • Port Scanning
      • RPC
      • SMB
      • SMTP
      • SNMP
#Windows Security #Domain Privesc #Local Admin Hunting

Local Admin Hunting (Derivative Local Admin)

There is a chance that the domain user you have access to is a local administrator on some machine in the network and you don't know about this. This type of user is sometimes referred to as Derivative Local Admin. There is no simple method to enumerate the local groups of a remote machine and information about local administrators is not stored in the DC.

Fortunately, there are tools that attempt to connect to different hosts in the domain using your user in an automated way and thus determine whether you are the local administrator on a particular machine. Keep in mind that these tools are often very noisy in the network. Of course, manual lateral movement and password spraying is also possible, although it can be time-consuming.

Windows:

# Find local admin access using PowerShell Remoting
. .\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
 
# Find local admin access using WMI
. .\Find-WMILocalAdminAccess.ps1
Find-WMILocalAdminAccess
 
# Find local admin access using different checks
. .\PowerView.ps1
Find-LocalAdminAccess -Verbose

References

Children

Local Admin Hunting