SharpView
SharpView copied to clipboard
Published
20 hours ago •
tevora-threat
tevora-threat
Get-DomainUser Not Filtering on "Name" Argument
trafficstars
Running Get-DomainUser with the following syntax fails to properly filter on the specified username and instead returns all users in the domain. The result was the same despite specifying -name domadmin, -identity domadmin, or simply Get-DomainUser domadmin
[*] Tasked beacon to run .NET program: SharpView_4.5.exe Get-DomainUser -name "domadmin"
[+] host called home, sent: 840809 bytes
[+] received output:
get-domain
[Get-DomainSearcher] search base: LDAP://DC01.lab.local/DC=lab,DC=local
[Get-DomainUser] filter string: (&(samAccountType=805306368))
objectsid : {S-1-5-21-.....-500}
samaccounttype : USER_OBJECT
objectguid : 019324d8-f17b-45c3-b9a9-adc7e0d3b9b3
useraccountcontrol : NORMAL_ACCOUNT
accountexpires : 12/31/1600 7:00:00 PM
lastlogon : 11/21/2014 6:42:49 AM
lastlogontimestamp : 3/13/2020 10:40:02 AM
pwdlastset : 8/15/2019 10:30:55 AM
lastlogoff : 12/31/1600 7:00:00 PM
badPasswordTime : 12/31/1600 7:00:00 PM
name : Administrator
distinguishedname : CN=Administrator,CN=Users,DC=lab,DC=local
whencreated : 8/15/2019 2:32:06 PM
whenchanged : 3/13/2020 2:40:02 PM
samaccountname : Administrator
memberof : {CN=Group Policy Creator Owners,CN=Users,DC=lab,DC=local, CN=Domain Admins,CN=Users,DC=lab,DC=local, CN=Enterprise Admins,CN=Users,DC=lab,DC=local, CN=Schema Admins,CN=Users,DC=lab,DC=local, CN=Administrators,CN=Builtin,DC=lab,DC=local}
cn : {Administrator}
objectclass : {top, person, organizationalPerson, user}
logoncount : 3
codepage : 0
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local
description : Built-in account for administering the computer/domain
usnchanged : 22265
instancetype : 4
badpwdcount : 0
usncreated : 8196
countrycode : 0
primarygroupid : 513
dscorepropagationdata : {8/15/2019 2:47:54 PM, 8/15/2019 2:47:54 PM, 8/15/2019 2:32:44 PM, 1/1/1601 6:12:16 PM}
logonhours : {255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255}
admincount : 1
iscriticalsystemobject : True
objectsid : {S-1-5-21-....-502}
samaccounttype : USER_OBJECT
objectguid : af1a1a57-681f-4d3c-8775-3b922ba9613d
useraccountcontrol : ACCOUNTDISABLE, NORMAL_ACCOUNT
accountexpires : NEVER
lastlogon : 12/31/1600 7:00:00 PM
pwdlastset : 8/15/2019 10:32:44 AM
lastlogoff : 12/31/1600 7:00:00 PM
badPasswordTime : 12/31/1600 7:00:00 PM
**name : krbtgt**
distinguishedname : CN=krbtgt,CN=Users,DC=lab,DC=local
whencreated : 8/15/2019 2:32:44 PM
whenchanged : 8/15/2019 2:47:54 PM
samaccountname : krbtgt
memberof : {CN=Denied RODC Password Replication Group,CN=Users,DC=lab,DC=local}
cn : {krbtgt}
objectclass : {top, person, organizationalPerson, user}
ServicePrincipalName : kadmin/changepw
logoncount : 0
codepage : 0
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local
description : Key Distribution Center Service Account
usnchanged : 12731
instancetype : 4
showinadvancedviewonly : True
badpwdcount : 0
usncreated : 12324
countrycode : 0
primarygroupid : 513
dscorepropagationdata : {8/15/2019 2:47:54 PM, 8/15/2019 2:32:44 PM, 1/1/1601 12:04:16 AM}
msds-supportedencryptiontypes : 0
admincount : 1
iscriticalsystemobject : True
<snip - Remaining domain users were displayed>
@andrewchiles the arguments in this version are case sensitive unfortunately :)
