Full Report
There are multiple paths one could take to getting Domain Admin on a Microsoft Windows Active Directory Domain. One common method for achieving this is to start by finding a system where a privileged domain account, such as a domain admin, is logged into or has recently been logged into. Once access to this system has been gained, either stealing their security tokens (ala Incognito or pass-the-hash attacks) or querying Digest Authentication (with Mimikatz/WCE) to get their clear-text password. The problem is finding out where these user’s are logged in.
Analysis Summary
# Tool/Technique: enum\_domain\_user.rb (Metasploit Post-Exploitation Module)
## Overview
This is a custom Metasploit post-exploitation module designed to enumerate network sessions for a specific domain user across a Windows Active Directory network. Its primary purpose is to identify systems where privileged accounts (like Domain Admins) are currently logged on, facilitating subsequent credential theft or token manipulation attacks to achieve Domain Admin privileges.
## Technical Details
- Type: Tool (Metasploit Post-Exploitation Module)
- Platform: Windows
- Capabilities: Queries network sessions for a specified user using the NetSessionEnum API.
- First Seen: April 22, 2013 (Date of article publication)
## MITRE ATT&CK Mapping
- T1087 - Account Discovery
- T1087.002 - Domain Account
- T1018 - Remote System Discovery
- T1018 - Remote System Discovery (Implied, by identifying active sessions on remote hosts)
## Functionality
### Core Capabilities
- **Network Session Enumeration:** Directly queries the network for active sessions involving a target user.
- **API Utilization:** Implements functionality equivalent to the SysInternals PsLoggedOn tool by leveraging the Windows **NetSessionEnum API**.
- **Metasploit Integration:** Works within the Metasploit Framework, typically executed from a Meterpreter session.
### Advanced Features
- **Goal-Oriented Discovery:** Specifically targets the identification of hosts where privileged accounts are logged in, directly supporting the privilege escalation pathway.
- **Bonus Feature (History Plugin):** An associated, separate Metasploit plugin (`history.rb`) allows viewing and re-executing recently used commands within the `msfconsole`.
## Indicators of Compromise
This entry describes an attacker-developed module, not malware. IOCs are related to the methods it facilitates or the tools it replaces.
- File Hashes: N/A (Module script, not compiled malware)
- File Names: `enum_domain_user.rb`, (Replaces/Supplements `PsLoggedOn.exe`)
- Registry Keys: N/A
- Network Indicators: N/A (The tool queries existing network sessions, it does not establish C2 traffic itself unless integrated with a larger framework session.)
- Behavioral Indicators: Executing a post-module targeting session enumeration; Windows API calls related to network session APIs (`NetSessionEnum`).
## Associated Threat Actors
- Not tied to specific APTs; likely used by penetration testers and Red Teams leveraging Metasploit post-exploitation features.
## Detection Methods
Detection focuses on identifying the use of the specific Metasploit module or the underlying API calls it makes on victim systems.
- Signature-based detection: Signatures matching the Ruby code of `enum_domain_user.rb` or the loading of Metasploit history plugins.
- Behavioral detection: Monitoring for unexpected direct use of the `NetSessionEnum` API, especially when initiated remotely or non-interactively following a system compromise.
- YARA rules: Can be written to detect the module file if it exists on disk.
## Mitigation Strategies
The ability to find these sessions is largely dependent on network visibility and proper privilege management.
- Prevention measures: Restrict administrative access to only necessary jump boxes or management servers.
- Hardening recommendations: Implement Least Privilege; ensure administrators do not use high-privilege interactive logon sessions for routine tasks that leave artifacts on standard workstations. Utilize Privileged Access Workstations (PAWs).
## Related Tools/Techniques
- **PsLoggedOn (SysInternals/Microsoft):** The official tool whose functionality this module replicates via API for easier integration into Metasploit.
- **nmap smb-enum-sessions script:** A similar enumeration technique, noted in the article as being "clumsy" compared to the custom module.
- **Mimikatz/WCE:** Tools mentioned for credential harvesting (clear-text password retrieval via Digest Auth) once a privileged host is identified.
- **Incognito/Pass-the-Hash:** Techniques mentioned for using stolen security tokens or hashes once access to the host is gained.