# Check local processes
net group “Domain Admins” /domain
# The account running the process should be in 7th column:
tasklist /v
# Then compare the 2 results
Sessions
# Query DC to check about domain active sessions:
net group “Domain Controllers” /domain (build dcs.txt with it)
nslookup –type=SRV _ldap._tcp.
net group “Domain Admins” /domain (build admins.txt with it)
netsess.exe
netsess.exe servername
netsess.exe servername /full (admin required)
FOR /F %i in (dcs.txt) DO @echo [+] Querying DC %i && @netsess -h %i 2>nul > sessions.txt && FOR /F %a in (admins.txt) DO @type sessions.txt | @findstr /I %a
Processes owners
net group “Domain Admins” /domain (build admins.txt with it)
FOR /F %i in (ips.txt) DO @echo [+] %i && @tasklist /V /S %i /U user /P password 2>NUL > output.txt && FOR /F %n in (admins.txt) DO @type output.txt | findstr %n > NUL &&echo[!] %n was found running a process on %i && pause
Scanning remote system using NBT
net group “Domain Admins” /domain (build admins.txt with it)for /F %i in (ips.txt)do @echo [+] Checking %i && nbtstat -A %i 2>NUL >nbsessions.txt && FOR /F %n in (admins.txt) DO @type nbsessions.txt | findstr /I %n > NUL &&echo[!] %n was found logged into %i
# OR if nbtscan uploaded:for /F %i in (ips.txt)do @echo [+] Checking %i && nbtscan -f %i 2>NUL >nbsessions.txt && FOR /F %n in (admins.txt) DO @type nbsessions.txt | findstr /I %n > NUL &&echo[!] %n was found logged into %i