Admin and Processes

Local Processes

# Check local processes
net group “Domain Admins” /domain

# The account running the process should be in 7th column:
tasklist /v

# Then compare the 2 results


Sessions

# Query DC to check about domain active sessions:
net group “Domain Controllers” /domain (build dcs.txt with it)
nslookup –type=SRV _ldap._tcp.
net group “Domain Admins” /domain (build admins.txt with it)
netsess.exe
netsess.exe servername
netsess.exe servername /full (admin required)
FOR /F %i in (dcs.txt) DO @echo [+] Querying DC %i && @netsess -h %i 2>nul > sessions.txt && FOR /F %a in (admins.txt) DO @type sessions.txt | @findstr /I %a


Processes owners

net group “Domain Admins” /domain (build admins.txt with it)
FOR /F %i in (ips.txt) DO @echo [+] %i && @tasklist /V /S %i /U user /P password 2>NUL > output.txt && FOR  /F %n in (admins.txt) DO @type output.txt | findstr %n > NUL  && echo [!] %n was found running a process on %i &&  pause


Scanning remote system using NBT

net group “Domain Admins” /domain (build admins.txt with it)
for /F %i in (ips.txt) do @echo [+] Checking %i && nbtstat -A %i 2>NUL >nbsessions.txt && FOR /F %n in (admins.txt) DO @type nbsessions.txt | findstr /I %n > NUL && echo [!] %n was found logged into %i

# OR if nbtscan uploaded:
for /F %i in (ips.txt) do @echo [+] Checking %i && nbtscan -f %i 2>NUL >nbsessions.txt && FOR /F %n in (admins.txt) DO @type nbsessions.txt | findstr /I %n > NUL && echo [!] %n was found logged into %i