One of the tricks of an attacker carries out on a Windows computer is getting administrative (admin) privileges. Once they have admin privileges, they are then free to go nuts on PCs in your organization.
You can get a leg up on a potential attacker by figuring out what processes are running under an administrative account in your organization. One way to do that for absolutely free is to use PowerShell!
Discovering Computers on the Network
The first task to discovering potentially dangerous processes on a network is finding all computers on the network. If you have Active Directory (AD) like most organizations do, you can use the Get-AdComputer cmdlet in the ActiveDirectory PowerShell module.
The following command returns all computer names from AD. Notice that the output is being assigned to $adComputers. You’ll use the computer names stored in this variable in the script below.
$adComputers = Get-AdComputer -Filter * | Select-Object -ExpandProperty Name
Alternatively, if you have a network monitoring tool like WhatsUp Gold, all devices on your network will be discovered and mapped automatically.
Enumerating Processes
Next, we need to figure out how to query processes for a single computer to see which computers are running this process. One way to do that is by using PowerShell remoting and the Get-Process command. This would typically work, but Get-Process doesn’t return the process owner. We’re going to need this later on. Instead, we’ll query WMI to get the process list.
The following example shows an example of limiting the processes returned to a single process (malware.exe). If you’d like to enumerate all processes, exclude the Filter parameter.
Get-CimInstance -ComputerName WEBSRV1 -ClassName Win32_Process -Filter "Name = 'malware.exe'" ProcessId Name HandleCount WorkingSetSize VirtualSize PSComputerName --------- ---- ----------- -------------- ----------- -------------- 1864 malware.exe 158 6524928 41701376 WEBSRV1
Finding Process Owners
Once we’ve got code to find the processes, we now need to figure from the processes that are returned, under what user that process is running under. To that, you can invoke the GetOwner() CIM method on each of the process objects returned.
In the following example, $p represents one of the processes returned by Get-CimInstance. You can see that by inspecting the User property, the owner of this particular process is NETWORK SERVICE.
(Invoke-CimMethod -InputObject $p -MethodName GetOwner).User NETWORK SERVICE
Discovering Members of the Administrators Group
We now have some code to see if the process is running on a computer and the owner of that process. Next, we need some code to gather up all of the local users on that computer that are a member of the Administrators group.
The following code snippet uses ADSI to first query the Administrators group. It then uses the Invoke() method to enumerate each member in that group. Once the member is found, it then returns the name of each member.
$group = [ADSI]"WinNT://[computer name]/Administrators"
@($group.Invoke('Members')) | foreach {
$_.GetType().Invokemember('Name','GetProperty',$null,$_,$null)
}
Putting the Script Together
We’re now ready to put it all together! Create a script that queries all of the computers in Active Directory that have our malware.exe process running. For each process found, we’ll find the owner of that process and then compare that user account with any member of the local administrators’ group.
$adComputers = Get-AdComputer -Filter * | Select-Object -ExpandProperty Name
foreach ($computer in $adComputers) {
if ($malwareProcs = Get-CimInstance -ComputerName $_ -ClassName Win32_Process -Filter "Name = 'malware.exe'") {
$adminGroup = [ADSI]"WinNT://$_/Administrators"
$adminMembers = @($adminGroup.Invoke('Members')) | foreach { $_.GetType().Invokemember('Name','GetProperty',$null,$_,$null) }
$malwareProcs | foreach {
if ((Invoke-CimMethod -InputObject $_ -MethodName GetOwner).User -in $adminMembers) {
Write-Host "The computer [$($computer)] has malware running under admin privileges!!" -ForegroundColor Red
}
}
}
Summary
You’ve now seen an example of using PowerShell to query multiple computers for processes running under admin privileges. Using the techniques and the script provided in this article, you now have another tool in your belt to help fight security incidents on your network!