LocalAdminAccess

Find Local Admin Access | https://github.com/Leo4j/Find-LocalAdminAccess

The LocalAdminAccess command in Amnesiac serves as a tool for enhancing lateral movement within Active Directory environments. It loads the Find-LocalAdminAccess tool, which is designed to identify and exploit local admin access on target machines. This tool enables users to perform various tasks, such as checking for local admin access, running commands, and gaining shell access on target systems.

Find-LocalAdminAccess Functionality

  • Check Local Admin Access: Find-LocalAdminAccess can scan the current or a target domain for local admin access using different methods, including SMB, WMI, or PSRemoting.

  • Credential Support: Users have the option to run Find-LocalAdminAccess as the current user or provide credentials for more targeted scans (WMI and PSRemoting only).

  • Execute Commands: Users can specify commands to run on target systems where local admin access is identified. This allows for automated post-exploitation activities.

  • Flexible Target Specification: Find-LocalAdminAccess allows users to specify target systems either individually or by providing a list of hostnames from a file.

  • InLine: The InLine flag will make Find-LocalAdminAccess return comma-separated formatted results, which can be useful if you want to manually specify your targets.

Shell Access

After identifying systems where the current user has local admin access, users can employ the following commands to obtain a shell on these targets:

  • shell_smbadmin: Get a shell on targets where the current user is a local admin using SMB.

  • shell_wmiadmin: Get a shell on targets where the current user is a local admin using WMI. Users can also specify credentials for authentication.

  • shell_psadmin: Get a shell on targets where the current user is a local admin using PSRemoting. Users can also specify credentials for authentication.

shell_wmiadmin and shell_psadmin also allow the user to provide alternative credentials.

Once any of the three methods for obtaining a shell are used, Amnesiac automatically checks the user's access privileges and runs a payload on target systems where local admin access has been identified. After executing the payload, Amnesiac switches to network checking mode to detect and capture the newly established sessions. Users will receive notifications about the new sessions that have been established.

Advanced Usage

For advanced usage and more detailed information about the capabilities of the "Find-LocalAdminAccess" tool, users can visit the official GitHub repository at https://github.com/Leo4j/Find-LocalAdminAccess. The repository provides comprehensive documentation and insights into the tool's functionalities.

Last updated