tevora-threat
Exception in Get-NetLocalGroupMember
Hello,
I am using the Get-NetLocalGroupMember command to get the users of a certain group from a remote machine and I get the following error:
I have tried with Sharpview and Powerview to compare if there was any problem in the command entered but, after debugging, I have located the line where the exception is generated:
// try to extract out the machine SID by using the -500 account as a reference
var MachineSid = (Members.FirstOrDefault(x => (x as LocalGroupMemberAPI).SID.IsRegexMatch(".*-500") || (x as LocalGroupMemberAPI).SID.IsRegexMatch(".*-501")) as LocalGroupMemberAPI).SID;
https://github.com/tevora-threat/SharpView/blob/master/SharpView/PowerView.cs#L7208
This happens because (as I understand it), it is iterated over the users obtained, looking for the local administrator of the machine (SID ending in "-500"), because the SID of the machine corresponds to the SID of the account of the local administrator user without the "-500" (I detail it in case someone reading the issue doesn't understand the error).
The problem is that it is expected that in that result there is a local administrator user to extract the SID of the machine (which in my case doesn't exist), that's why the exception is generated. I have commented this part, and the command is executed correctly and the expected results are obtained.
I'm going to see if I can change this and make a pull request. Greetings
