From c883dabf7780f5b8b3cc1bea1f9b163983174838 Mon Sep 17 00:00:00 2001
From: Harmj0y <will@harmj0y.net>
Date: Mon, 7 Mar 2016 02:50:24 -0500
Subject: Added -DomainOnly flag to Invoke-EnumerateLocalAdmin

---
 Recon/PowerView.ps1 | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

(limited to 'Recon')

diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
index 994b9a7..e657c5d 100644
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@@ -6710,7 +6710,9 @@ function Get-NetLocalGroup {
                             $LocalUser | Add-Member Noteproperty 'ComputerName' $Server
                             $LocalUser | Add-Member Noteproperty 'AccountName' $Info.lgrmi2_domainandname
                             $LocalUser | Add-Member Noteproperty 'SID' $SidString
-                            $LocalUser | Add-Member Noteproperty 'SidType' $Info.lgrmi2_sidusage
+
+                            $IsGroup = $($Info.lgrmi2_sidusage -eq 'SidTypeGroup')
+                            $LocalUser | Add-Member Noteproperty 'IsGroup' $IsGroup
 
                             $Offset = $NewIntPtr.ToInt64()
                             $Offset += $Increment
@@ -10943,6 +10945,10 @@ function Invoke-EnumerateLocalAdmin {
         Switch. Only return results that are not part of the local machine
         or the machine's domain. Old Invoke-EnumerateLocalTrustGroup
         functionality.
+    
+    .PARAMETER DomainOnly
+
+        Switch. Only return domain (non-local) results  
 
     .PARAMETER Domain
 
@@ -11020,6 +11026,9 @@ function Invoke-EnumerateLocalAdmin {
         [Switch]
         $TrustGroups,
 
+        [Switch]
+        $DomainOnly,
+
         [String]
         $Domain,
 
@@ -11103,7 +11112,7 @@ function Invoke-EnumerateLocalAdmin {
 
         # script block that enumerates a server
         $HostEnumBlock = {
-            param($ComputerName, $Ping, $OutFile, $DomainSID, $TrustGroupsSIDs, $API)
+            param($ComputerName, $Ping, $OutFile, $DomainSID, $TrustGroupsSIDs, $API, $DomainOnly)
 
             # optionally check if the server is up first
             $Up = $True
@@ -11130,6 +11139,11 @@ function Invoke-EnumerateLocalAdmin {
                 }
 
                 if($LocalAdmins -and ($LocalAdmins.Length -ne 0)) {
+                    
+                    if($DomainOnly) {
+                        $LocalAdmins = $LocalAdmins | Where-Object {$_.IsDomain}
+                    }
+
                     # output the results to a csv if specified
                     if($OutFile) {
                         $LocalAdmins | Export-PowerViewCSV -OutFile $OutFile
@@ -11144,7 +11158,6 @@ function Invoke-EnumerateLocalAdmin {
                 }
             }
         }
-
     }
 
     process {
@@ -11164,6 +11177,10 @@ function Invoke-EnumerateLocalAdmin {
             if($API) {
                 $ScriptParams['API'] = $True
             }
+
+            if($DomainOnly) {
+                $ScriptParams['DomainOnly'] = $True
+            }
          
             Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
         }
@@ -11186,12 +11203,9 @@ function Invoke-EnumerateLocalAdmin {
                 Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
                 Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
 
-                if($API) {
-                    Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $OutFile, $DomainSID, $TrustGroupsSIDs, $True
-                }
-                else {
-                    Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $OutFile, $DomainSID, $TrustGroupsSIDs
-                }
+                $ScriptArgs = @($Computer, $False, $OutFile, $DomainSID, $TrustGroupsSIDs, $API, $DomainOnly)
+
+                Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $ScriptArgs
             }
         }
     }
-- 
cgit v1.2.3