(l)user hunter using WinAPI calls only

[Nytro]

hunter

(l)user hunter using WinAPI calls only

Introduction:

During Red Team engagments it is common to track/hunt specific users. Assuming we already have access to a desktop as a normal user (no matter how, always "assume compromise") in a Windows Domain and we want to spread laterally. We want to know where the user is logged on, if he is a local administrator in any box, to which groups he belongs, if he has access to file shares, and so on. Enumerating hosts, users, and groups will also help to get a better understanding of the Domain layout.

You might be thinking, "use Powerview". Lately, one of the most common problems I encounter during Red Team exercises is the fact that PowerShell is heavily monitored. If you use it, you'll get caught, sooner or later. By now everyone is well aware how powerfull PowerShell is, including Blue Teams and Security Vendors.

There are multiple ways to work around this. To avoid using multiple old school tools (psloggedon.exe, netsess.exe, nltest, netview, among others) and to reduce the amount of tools uploaded to compromised systems I created a simple tool that doesn't require Administrative privileges to run and collect the information listed below, and relies only on the Windows API.

You might end up dealing with white list bypass and process evasion, but I'll leave that for another day.

 

Link: https://github.com/fdiskyou/hunter