Aprazeth
nyanbinaryOk, question: Is there any way to determine the admins on a (windows) system remotely WITHOUT code execution on the system
)(I guess I could get code execution on all the systems by way of EDR but I'd really like NOT to abuse permissions )
)
Advanced Persistent Teapot@nyanbinary depends if you count logging as code execution, but that one only works if you already enabled it before the admins get added
@http_error_418 I was thinking about pulling EDR logs for the systems, but I care less about people who actually abused it but about demonstrating impact of a domain-level misconfiguration. Essentially: You closed this pentest finding with "yeah, we minimized the abusability" but I am pretty sure there still is ~200 users that can abuse it. Fix it!!!
@http_error_418 unfortunately logging will only provide a lower bound (given our raw log retention is too low...) & mostly include poweradmins (which I am honestly less worried about), not the folx that maintained those permissions as fallbacks or due to shared responsibilities over the systems or...
@nyanbinary I'm painfully aware of the risks that people with local admin present, but I believe the simple answer is "there's no way that doesn't involve some kind of code execution"
@http_error_418 nawh :(
I guess EDR logs it is 😔
Johannes@nyanbinary Does WMI count as code execution?
@JmbFountain hehe, I was wondering if I should be more specific, specifically because of this
In the spirit of the question: I'd count it as it has the same hurdles (that is: visibility & permissions) as just direct code execution.
Cat 🐈🥗 (D.Burch) 
@nyanbinary As in zero authorization access?
@catsalad sorry, I dont get it, my brain isnt fully booted up yet 😔
Chilly 
🛡️ 
powers on nyan@chillybot @catsalad nooooooooooo I wanted to nap more!!!!
there ya go fren nap well
@nyanbinary @chillybot Oh, I was just asking if you're trying to poke at that remote server with any kind of access levels above a guest, or someone with no real access.
@catsalad ah, gotcha. Current limit is pretty much "domain user (non-guest)". Can mostly work around the FW with some non-approved shenanigans.
wall-e@nyanbinary @catsalad as in: you have a normal domain user account on machine A and want to enumerate admin/domain admin accounts remotely on machine B without code exec on B?
Or you don't (want to) have code exec on the machine you're logged in on?
Or you don't (want to) have code exec on the machine you're logged in on?
@wall_e @catsalad I got a normal domain user. I got a domain-joined Windows with basic tools (PS AD module, subset of RSAT, ...) but limited network visibility. I got a domain-joined Windows with hood visibility but limited tools. I got a non-joined linux with visibility to DCs & a shitload of tools.
I want to check a lot of OTHER windows servers.
Alexander Dyas@nyanbinary Asking for a friend
@alexanderdyas nah, asking for myself . I could also just raise a request to get the list but if there is an easy DIY way...
. I could also just raise a request to get the list but if there is an easy DIY way...
Ichinin 
✅🎯🙄@nyanbinary Ad-domain? LDAP
I think using gpresult maybe? I am not sure, but I figured I'd mention it just in case
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
Edit: to clarify, this is for domain joined machines. If not domain joined I honestly would not know.
