nyanbinaryOk, question: Is there any way to determine the admins on a (windows) system remotely WITHOUT code execution on the system
)(I guess I could get code execution on all the systems by way of EDR but I'd really like NOT to abuse permissions )
)
Advanced Persistent Teapot@nyanbinary depends if you count logging as code execution, but that one only works if you already enabled it before the admins get added
@http_error_418 I was thinking about pulling EDR logs for the systems, but I care less about people who actually abused it but about demonstrating impact of a domain-level misconfiguration. Essentially: You closed this pentest finding with "yeah, we minimized the abusability" but I am pretty sure there still is ~200 users that can abuse it. Fix it!!!
@http_error_418 unfortunately logging will only provide a lower bound (given our raw log retention is too low...) & mostly include poweradmins (which I am honestly less worried about), not the folx that maintained those permissions as fallbacks or due to shared responsibilities over the systems or...
@nyanbinary I'm painfully aware of the risks that people with local admin present, but I believe the simple answer is "there's no way that doesn't involve some kind of code execution"
@http_error_418 nawh :(
I guess EDR logs it is 😔