LACheck: Multithreaded C# .NET Assembly Local Administrative Privilege Enumeration
LACheck
Multithreaded C# .NET Assembly Local Administrative Privilege Enumeration
Enumeration Methods
Performance Summary
| SMB | WMI | WinRM | |
|---|---|---|---|
| /edr | fast | fast | fast |
| /logons | fast | fast | fast |
| /services | slow | fast | fast |
| /registry | slow | fast | – |
– = not implemented
SMB
/edr
Inspired by harleyQu1nn’s EDR.cna script
Directory.GetFiles Method returns a list of drivers from:
- \\host\C$\windows\system32\drivers
- \\host\C$\windows\sysnative\drivers
Drivers are looked up against a list of known drivers used by EDR vendors.
Example Output ran as svcadmin user
/logons
NetWkstaUserEnum returns a list of users with interactive, service and batch logons
WTSEnumerateSessionsA returns a list of RDP sessions on a host
WTSQuerySessionInformationA retrieves detailed information for each RDP session
Example Output ran as svcadmin user
/registry
Iterate through SIDs in \\Computer\HKEY_USERS\ hive attempts to access Volatile Environment for each SID and retrieves values from USERDOMAIN and USERNAME keys.
This method requires the Remote Registry service to be running on a remote host. If it is not:
- The initial start type of the Remote Registry service is recorded
- start type is changed to Automatic
- Remote Registry service is started
- registry hives are enumerated
- Remote Registry service is stopped
- start type is reverted to its initially recorded value
Due to the potentially multi-step process to enumerate each host, this method may be slower compared to alternative techniques. smb /logons is faster
Example Output ran as svcadmin user
[registry] WEB01 - contoso\devadmin (svcadmin)
/services
ServiceController.GetServices Method retrieves a list of services on a host
Each service is queried to determine the user it is configured to run as.
Due to each service having to be queried individually, this method may be slower compared to alternative techniques. wmi /services is faster
Example Output ran as svcadmin user
[service] WEB01 - devadmin@consoso.com Service: secretsvc State: Running (svcadmin)
WMI
/edr
Inspired by harleyQu1nn’s EDR.cna script
CIM_DataFile class returns a list of drivers from:
- \host\C$\windows\system32\drivers
- \host\C$\windows\sysnative\drivers
Drivers are looked up against a list of known drivers used by EDR vendors.
Example Output ran as svcadmin user
/logons
Win32_LoggedOnUser class returns a list of logged on sessions Win32_LogonSession class returns detailed information for each session
Example Output ran as svcadmin user
/registry
Queries the Win32_UserProfile class to retrieve SIDs for user profiles on a system.
The EnumKey method of the StdRegProv class retrieves the \\Computer\HKEY_USERS\ hive and attempts to access Volatile Environment for each returned SID to retrieve values from the USERDOMAIN and USERNAME keys.
Example Output ran as svcadmin user
[registry] WEB01 - contoso\devadmin (svcadmin)
/services
Queries the Win32_Service class to retrieve the name, user, and state of services
Example Output ran as svcadmin user
[service] WEB01 - devadmin@consoso.com Service: secretsvc State: Running (svcadmin)
WinRM
Each WMI checks is also implemented using WMI Resources and WMI Enumeration over WinRM.
This avoids the use of PowerShell runspaces.
Use
Download
Copyright (c) 2020 Mitchell Moser
