LACheck – Multithreaded C# .NET Assembly Local Administrative Privilege Enumeration
Discription

[![](https://blogger.googleusercontent.com/img/a/AVvXsEjYav8wQXsJJmo1gRA2o_KhZvDPF7beN8UQ2RknaM8q_5r56HGzYS7CmE7qn_MLvgzi911k6V-Ik0no9nK6zz1_BiPL33IsmKcHwF_vp-tvCGh5PrHx0WdHbnweAERpm6-z_rfl2fOANof4cDhePtogQiCWA19LQOoTcayItDQOzTeQwl_WoK7hhjVX=w640-h320)]()

Multithreaded C# .NET Assembly Local Administrative Privilege Enumeration

### Arguments

domain controller to query (if not ran on a domain-joined host) /domain – specify domain name (if not ran on a domain-joined host) /edr – check host for EDR (requires smb, rpc, or winrm) /logons – return logged on users on a host (requires smb, rpc, or winrm) /registry – enumerate sessions from registry hive (requires smb) /services – return services running as users (requires smb, rpc, or winrm) /socket – send bloodhound output to TCP socket instead of writing to disk ex: “”127.0.0.1:8080″” /targets – comma-separated list of hostnames to check /threads – specify maximum number of parallel threads (default=25) /user – specify username that collection was run under (useful during token manipulation) /validate – check [credentials]( “credentials” ) against Domain prior to scanning targets (useful during token manipulation) /verbose – print additional logging information /ou – specify LDAP OU to query enabled computer objects from ex: “OU=Special Servers,DC=example,DC=local” /ldap – query hosts from the following LDAP filters: :all – All enabled computers with ‘primary’ group ‘Domain Computers’ :dc – All enabled Domain Controllers (not read-only DCs) :exclude-dc – All enabled computers that are not Domain Controllers or read-only DCs :servers – All enabled servers :servers-exclude-dc – All enabled servers excluding Domain Controllers or read-only DCs”>

> ./LACheck.exe help
_ _____ _ _
| | / / ____| | | |
| | / | | | |__ ___ ___| | __
| | / / | | | ‘_ / _ / __| |/ /
| |____ / ____ | |____| | | | __/ (__| “impersonation” ) techniques such as Cobalt Strike’s `make_token` and `kerberos_ticket_use`, LACheck may not be able to accurately determine the user context for a collection. The `/user` arguement is required to supply LACheck with the userprincipalname (format = `[email protected]`) of the context it is ran under in order to accurately correlate the collection information.

### /socket

BloodHound output can be sent to a TCP socket instead of being written to disk.

If the TCP connection fails, BloodHound output will be written to disk.

In a [Cobalt Strike]( “Cobalt Strike” ) beacon, TCP connections can be forwarded from a host back to the operator’s local machine using `rportfwd_local`:

rportfwd_local 8888 127.0.0.1 8888

An operator may then pipe the output of the TCP stream to a local file using netcat:

nc -lvnp 8888 > computers.json

# Enumeration Methods

## Performance Summary

| SMB | WMI | WinRM
—|—|—|—
/edr | fast | fast | fast
/logons | fast | fast | fast
/services | slow | fast | fast
/registry | slow | fast | –

– = not implemented

## SMB

### /edr

Inspired by [harleyQu1nn’s EDR.cna script]( “harleyQu1nn’s EDR.cna script” )

[Directory.GetFiles]( “Directory.GetFiles” ) Method returns a list of drivers from:

* \hostC$windowssystem32drivers
* \hostC$windowssysnativedrivers

Drivers are looked up against a list of known drivers used by EDR vendors.

#### Example Output ran as svcadmin user

[EDR] WEB01 – Found: CrowdStrike, SentinelOne (svcadmin)
[EDR] DEV02 – no EDR found (svcadmin)

### /logons

[NetWkstaUserEnum]( “NetWkstaUserEnum” ) returns a list of users with interactive, service and batch logons

[WTSEnumerateSessionsA]( “WTSEnumerateSessionsA” ) returns a list of RDP sessions on a host

[WTSQuerySessionInformationA]( “WTSQuerySessionInformationA” ) retrieves detailed information for each RDP session

#### Example Output ran as svcadmin user

[session] WEB01 – contosodevadmin (svcadmin)
[session] WEB01 – contosodevuser (svcadmin)
[session] WEB01 – contosoWEB01$ (svcadmin)
[session] WEB01 – contosodevadmin (svcadmin)
[session] WEB01 – contosodevuser (svcadmin)
[rdp] WEB01 – contosodevadmin rdp-tcp#2 Active Last Connection: 00:00:50:26 Last Input: 00:00:00:00 (svcadmin)

### /registry

Iterate through SIDs in `\ComputerHKEY_USERS` hive, attempts to access `Volatile Environment` for each SID, and retrieves values from `USERDOMAIN` and `USERNAME` keys.

This method requires the Remote Registry service to be running on a remote host. If it is not:

1. initial start type of the Remote Registry service is recorded
2. start type is changed to `Automatic`
3. Remote Registry service is started
4. registry hives are enumerated
5. Remote Registry service is stopped
6. start type is reverted to its initially recorded value

Due to the potentially multi-step process to enumerate each host, this method may be slower compared to alternative techniques. `smb /logons` is faster

#### Example Output ran as svcadmin user

[registry] WEB01 – contosodevadmin (svcadmin)

### /services

[ServiceController.GetServices Method]( “ServiceController.GetServices Method” ) retrieves a list of services on a host

Each service is queried to determine the user it is configured to run as.

Due to each service having to be queried individually, this method may be slower compared to alternative techniques. `wmi /services` is faster

#### Example Output ran as svcadmin user

[service] WEB01 – [email protected] Service: secretsvc State: Running (svcadmin)

## WMI

### /edr

Inspired by [harleyQu1nn’s EDR.cna script]( “harleyQu1nn’s EDR.cna script” )

[CIM_DataFile class]( “CIM_DataFile class” ) returns a list of drivers from:

* hostC$windowssystem32drivers
* hostC$windowssysnativedrivers

Drivers are looked up against a list of known drivers used by EDR vendors.

#### Example Output ran as svcadmin user

[EDR] WEB01 – Found: CrowdStrike, SentinelOne (svcadmin)
[EDR] DEV02 – no EDR found (svcadmin)

### /logons

[Win32_LoggedOnUser class]( “Win32_LoggedOnUser class” ) returns a list of logged on sessions [Win32_LogonSession class]( “Win32_LogonSession class” ) returns detailed information for each session

#### Example Output ran as svcadmin user

[session] WEB01 – contosodevadmin 4/20/2021 11:00:05 AM (svcadmin)
[session] WEB01 – contosodevuser 4/20/2021 1:40:52 PM (svcadmin)
[session] WEB01 – contosoWEB01$ 4/20/2021 5:51:43 PM (svcadmin)
[session] WEB01 – contosodevadmin 4/20/2021 09:54:38 AM (svcadmin)
[session] WEB01 – contosodevuser 4/20/2021 10:14:32 AM (svcadmin)

### /registry

Queries the [Win32_UserProfile class]( “Win32_UserProfile class” ) to retrieve SIDs for user profiles on a system.

The [EnumKey method of the StdRegProv class]( “EnumKey method of the StdRegProv class” ) retrieves the `\ComputerHKEY_USERS` hive and attempts to access `Volatile Environment` for each returned SID to retrieve values from the `USERDOMAIN` and `USERNAME` keys.

#### Example Output ran as svcadmin user

[registry] WEB01 – contosodevadmin (svcadmin)

### /services

Queries the [Win32_Service class]( “Win32_Service class” ) to retrieve the name, user, and state of services

#### Example Output ran as svcadmin user

[service] WEB01 – [email protected] Service: secretsvc State: Running (svcadmin)

## WinRM

Each WMI checks is also implemented using [WMI Resources]( “WMI Resources” ) and [WMI Enumeration]( “WMI Enumeration” ) over WinRM.

This avoids the use of PowerShell runspaces.

**[Download LACheck]( “Download LACheck” )**Read More

References

Back to Main
Subscribe for the latest news: