Powershell Script or Advanced Hunting to Get All Active Local Administrators on the PC

September 1, 2023
Research
0 Comments
paris

Get Local Admins


#Check is Machine in Azure AD as LAPs Azure AD only works in Domain Joined Mchines

$subKey = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo"

$guids = $subKey.GetSubKeyNames()
foreach($guid in $guids) {
$guidSubKey = $subKey.OpenSubKey($guid);
$tenantId = $guidSubKey.GetValue("TenantId");
}

if ($tenantId -ne $null) {

	# get the list of user names that are member of the Administrators group
	# we can't use Get-LocalGroupMember due to bug https://github.com/PowerShell/PowerShell/issues/2996
	# remove empty and non usable lines of the output



	$adminlist = (net localgroup Administrators) | Where-Object { $_ -match '\S' } | Select-Object -Skip 4 | Select-Object -SkipLast 1

	# now filter away the domain members you do not want to be listed  by finding items without \

	$Regexes = '^[^\\]+$'
	$localAdmins = ($adminlist | Select-String -Pattern $Regexes).Line

	# now filter away the allow local admins 

	$localadminallow = "palocaladmin" 
	$localAdmins = $localAdmins | Where-Object { $localadminallow -ne $_ }


	#Get just the Active local Admins 
	$ActiveLocalAdmins = foreach ($admin in $localAdmins)
	{
	 (Get-LocalUser -Name $admin | ? {$_.enabled -eq 'True'}).name
	}



	if ($ActiveLocalAdmins) {
	Write-host $ActiveLocalAdmins
	Exit 1
	}

}

else {
	
	Exit 0
	Write-host "Not In Azure AD"
}

Get Local and Domains Users in Admins


#Check is Machine in Azure AD as LAPs Azure AD only works in Domain Joined Mchines

$subKey = Get-Item "HKLM:/SYSTEM/CurrentControlSet/Control/CloudDomainJoin/JoinInfo"

$guids = $subKey.GetSubKeyNames()
foreach($guid in $guids) {
$guidSubKey = $subKey.OpenSubKey($guid);
$tenantId = $guidSubKey.GetValue("TenantId");
}

if ($tenantId -ne $null) {

	# get the list of user names that are member of the Administrators group
	# we can't use Get-LocalGroupMember due to bug https://github.com/PowerShell/PowerShell/issues/2996
	# remove empty and non usable lines of the output

	$adminlist = (net localgroup Administrators) | Where-Object { $_ -match '\S' } | Select-Object -Skip 4 | Select-Object -SkipLast 1
	
	# now filter away accounts that have \ for anything on the domain 

	$Regexes = '^.*(\\).*$'
	$LocalDomainlAdmins = ($adminlist | Select-String -Pattern $Regexes).Line
	
	# now filter away Domain Admins 
	$Regexes = '^((?!Domain Admins).)*$'
	$LocalDomainlAdmins = ($LocalDomainlAdmins | Select-String -Pattern $Regexes).Line

	# now filter away allowed Admins from list 
	$Regexes = '(?i)^((?!mpandey|jcooper|chorton).)*$'
	$LocalDomainlAdmins = ($LocalDomainlAdmins | Select-String -Pattern $Regexes).Line


	# now filter only members without \ for local admins

	$Regexes = '^[^\\]+$'
	$localAdmins = ($adminlist | Select-String -Pattern $Regexes).Line

	# now filter away the allowed local admins 

	$Regexes = '(?i)^((?!property).)*$'
	$localAdmins = ($localAdmins | Select-String -Pattern $Regexes).Line

	#Get just the Active local Admins 
	$ActiveLocalAdmins = foreach ($admin in $localAdmins)
	{
	 (Get-LocalUser -Name $admin | ? {$_.enabled -eq 'True'}).name
	}

	if ($ActiveLocalAdmins -or $LocalDomainlAdmins ){
	Write-host "Local $ActiveLocalAdmins" "Domain $LocalDomainlAdmins"
	Exit 1
	}



}

else {
	
	Exit 0
	Write-host "Not In Azure AD"
}

Find Local Admin Logins with Defender Advanced Hunting

DeviceLogonEvents
| where IsLocalAdmin == 1
| project DeviceName, AccountDomain, AccountName, LogonType, ActionType
| summarize count() by DeviceName, AccountName

(No Ratings Yet)