Untitled

Get-NetUser

Untitled

more important filter

Get-NetUser | select cn,description,lastlogon,pwdlastset,badpwdcount

Untitled

now I will extract all suspicious users

cn          : krbtgt
description : Key Distribution Center Service Account
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 10/14/2023 10:47:00 PM
badpwdcount : 984
-----------------------
cn          : Jessamine Lily
description : New user generated password: O2j[^Am
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
-----------------------
cn          : Loy Lanette
description : New user generated password: I!MWL=S
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
-----------------------
cn          : Cybil Katerina
description : New user generated password: 6i5$-s2
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
------------------------
cn          : Reyna Ninon
description : New user generated password: B&wh/^#
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
------------------------
cn          : Kimberlee Lorna
description : Company default password(Reset ASAP)
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
-------------------------
cn          : Delilah Alyss
description : Company default password(Reset ASAP)
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
--------------------------
cn          : Elenore Brandie
description : Company default password(Reset ASAP)
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
---------------------------
cn          : Lanette Kitty
description : Company default password(Reset ASAP)
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
---------------------------
cn          : Illa Latashia
description : Company default password(Reset ASAP)
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
---------------------------
cn          : Aloysia Debbie
description : New user generated password: m:{jWvi
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
----------------------------
cn          : Dayle Kelcey
description : Company default password(Reset ASAP)
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
-----------------------------
cn          : Cymbre Goldina
description : New user generated password: sDjr$!E
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
------------------------------
cn          : Nona Donetta
description : Company default password(Reset ASAP)
lastlogon   : 1/1/1601 2:00:00 AM
pwdlastset  : 1/1/1601 2:00:00 AM
badpwdcount : 0
-------------------------------
cn          : rem01x
description :
lastlogon   : 10/16/2023 5:37:37 AM
pwdlastset  : 10/15/2023 2:45:52 PM
badpwdcount : 0

now writing a simple PowerShell script to find the groups that the users member of

$a = @("krbtgt","Jessamine Lily","Loy Lanette","Cybil Katerina","Reyna Ninon","Kimberlee Lorna","Delilah Alyss","Elenore Brandie","Lanette Kitty","Illa Latashia","Aloysia Debbie","Dayle Kelcey","Cymbre Goldina","Nona Donetta","rem01x")
for($i = 0 ; $i -lt $a.Length ;$i++)
{ 
    [string]::Format(“Getting User {0} Groups”,$a[$i])
    Get-NetGroup -UserName $a[$i] | select name 
    Write-Output "---------------------------" 
}

Untitled

name
----
Denied RODC Password Replication Group
Domain Users
---------------------------
Getting User Jessamine Lily Groups
Domain Users
Sales
---------------------------
Getting User Loy Lanette Groups
Domain Users
Sales
---------------------------
Getting User Cybil Katerina Groups
Domain Users
Sales
---------------------------
Getting User Reyna Ninon Groups
Domain Users
Marketing
---------------------------
Getting User Kimberlee Lorna Groups
Domain Users
Marketing
---------------------------
Getting User Delilah Alyss Groups
Domain Users
Sales
---------------------------
Getting User Elenore Brandie Groups
Domain Users
Sales
---------------------------
Getting User Lanette Kitty Groups
Domain Users
Marketing
---------------------------
Getting User Illa Latashia Groups
Accounting
Domain Users
---------------------------
Getting User Aloysia Debbie Groups
Domain Users
Marketing
---------------------------
Getting User Dayle Kelcey Groups
Domain Users
Marketing
---------------------------
Getting User Cymbre Goldina Groups
Domain Users
Sales
---------------------------
Getting User Nona Donetta Groups
Domain Users
Marketing
---------------------------
Getting User rem01x Groups
Domain Users
---------------------------

okay great but those users are part of domain users and other partitions in the domain no admins group found

Get-NetComputer

Untitled

more important filters

Get-NetComputer | select name,operatingsystem,pwdlastset,badpwdcount,lastlogon,iscriticalsystemobject

Untitled

as we see the win computer is marked as critical object so let’s ping it to see if it’s live

Get-NetComputer -Ping | Where-Object name -like 'WIN-Q4788GPE9L7'