Powerview 3.

0 Cheat Sheet Function Naming Scheme -Credential

All PowerView functions should now following a proper All PowerView functions now accept an alternate
Verb-PrefixNoun format: –Credential specification:
Get-* Retrieve full raw data objects PS C:\> $SecPassword = ConvertTo-SecureString
Find-* Find specific data entries in a data set or 'BurgerBurgerBurger!' -AsPlainText -Force
execute threaded computer enumeration PS C:\> $Cred = New-Object
Getting Started System.Management.Automation.PSCredential('TESTLA
Add-* Add a new object to a destination
B\dfm.a', $SecPassword)
PowerView’s ‘bleeding edge’ will always in be the Set-* Modify a given object PS C:\> Get-DomainUser -Credential $Cred
development branch of PowerSploit:
Invoke-* Lazy catch-all
http://bit.ly/1pzQCnv Computer Enumeration
Noun prefixes now give an indication of the data source: Get-DomainComputer will enumerate computer objects
Load from disk: 1) C:\> powershell –exec bypass 2) PS
C:\> Import-Module powerview.ps1 Verb-DomainX LDAP/.NET AD connections on a given domain through LDAP.
Run on non-domain joined machine: 1) configure DNS to Verb-WMIX Uses WMI for Return only live hosts -Ping
point to DC of domain, 2) runas /netonly connections/enumeration Machines with -Unconstrained
/user:DOMAIN\user powershell.exe Verb-NetX Uses Win32 API calls unconstrained delegation
Load in Cobalt Strike’s Beacon: beacon> powershell- Common Options Trusted to authenticate for -TrustedToAuth
import /local/path/to/PowerView.ps1 , then beacon> The object to query- other principals
-Identity <X>
powershell CMDLET-NAME samaccountname, DN, SID, Specific service principal -SPN *SQL*
Getting help: PS C:\> Get-Help Cmdlet-Name [-detailed] GUID, or dnsHostname. name, wildcards accepted
Filtering and Output Wildcards accepted.
Specific OS, wildcards -OperatingSystem <X>
Execute a command on … | %{…Invoke- Display verbose -Verbose accepted
each result object Command $_ } status/debug information
Specific service pack, -ServicePack <X>
Filter result objects by … | ? {$_.Field –eq X} Execute the query in a -Domain foreign.com wildcards accepted
field foreign domain
Identifying Your Prey
Only return certain … | Select prop1,prop2 Utilize a custom LDAP filter -LDAPFilter ‘(prop- Get-DomainUser will enumerate user objects on a given
properties value)’ domain through LDAP.
Display output as a list … | fl Only return the specified -Properties prop1,prop2 Return users with “admin” -Identity “*john*”
properties from the server in the user name
Display output as wrapped … | ft -wrap
table Search through a -SearchBase Return users who are (or -AdminCount
particular OU “ldap://OU=…” were) a member of an
Write out to file … | Out-File -Encoding
Ascii out.txt Search through a global -SearchBase admin protected group
Write to .csv … | Export-CSV - catalog “GC://domain.com” Users with a service -SPN
NoTypeInformation Bind to a particular server -Server principal name set (likely
out.csv for the search “dc.domain.com” service accounts)
Write to .xml object …| Export-Clixml Return specific security Trusted to authenticate for -TrustedToAuth
-SecurityMasks
obj.xml information with the other principals
[Dacl/Owner/Sacl]
Read .xml object $obj = Import-Clixml search “Do not require Kerberos -PreauthNotRequired
obj.xml Only return one result -FindOne preauthentication” set

Version 1.3. Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.
Get-DomainGroup will enumerate group objects Find users in groups Get-DomainForeignUser Only return shares from -ComputerSearchBase
themselves on a given domain through LDAP. outside of the given machines in a given OU “ldap://OU=…”
Return all groups with -Identity *admin* domain (outgoing Find-InterestingFile will recursively search a given
“admin” in the name access) local/UNC path for files matching specific criteria.
Return all groups a -MemberIdentity <X> Find groups w/ Get- Search a specific UNC path -Path \\SERVER\Share
particular user/group is a users outside of the DomainForeignGroupMember
given domain –Domain target.domain.com Only return files with the -Include
part of
(incoming access) specified search terms in term1,term2,term3
Return privileged groups -AdminCount their names
All Verb–Domain* functions also accept –Domain <X> to
Return groups with a -GroupScope Only return office docs -OfficeDocs
query the specified information from a foreign domain.
particular scope [DomainLocal/Global/
User-Hunting Only return files accessed -LastAccessTime (Get-
Universal]
within the last week Date).AddDays(-7)
Get-DomainGroupMember will enumerate the members Find-DomainUserLocation (old Invoke-UserHunter) will
of a specific group on a given domain through LDAP. use LDAP queries and API calls to locate users on the Local Admin Enumeration
domain. Note: default behavior searches for “Domain Get-NetLocalGroupMember will enumerate the local
Specified group name -Identity “Domain Admins” and touches every machine on the domain! users/groups from localhost or a remote machine.
Admins”
Specifies one or more user -UserIdentity <X> Enumerate local admins -ComputerName <X>
Recursively resolve the -Recurse identifies to hunt for from hostname (or IP)
members of any results
that are groups Specifies hosts to -ComputerName X,Y Use an alternate group -GroupName "Remote
enumerate for session besides local admins Desktop Users"
If you’re not sure of the object type, you can use Get- information
DomainObject. Get-DomainObjectACL will return the Uses the WinNT service -Method [WinNT/API]
ACLs associated with a specific active directory object. Species one or more -UserGroupIdentity <X> provider (default) or
The –ResolveGUIDs flag resolves ACE GUIDs to their groups to query for users Win32 API calls
display names. to hunt for
Misc. Functions
Show all results (i.e. don’t -ShowAll
Domain [Trusts] Return domain OUs Get-DomainOU
filter by user targets)
Info on the current Get-Forest Return domain GPOs Get-DomainGPO
forest Hunt using only session -Stealth
information from file Find likely file servers Get-DomainFileServer
Enumerate all Get-ForestDomain based on user properties
servers/DCs
domains in the
Check if the current user -CheckAccess Enumerate shares on a Get-NetShare <X>
current forest
has local admin access to specific machine
Get all forest trusts Get-ForestTrust
computers where target Enumerate shares on a Get-NetSession <X>
for the current
users are found specific machine
forest
Info on the current Get-Domain Data Mining Enumerate RDP sessions Get-NetRDPSession <X>
domain Find-DomainShare (old Invoke-ShareFinder) will use (and source IPs)
LDAP queries and API calls to search for open shares on More Information
Get all domain Get-DomainTrust
the domain. Note: default behavior touches every
trusts (à la nltest Recent PowerView update: http://bit.ly/2rseIm6
machine on the domain!
/trusted_domains) PowerView Tricks - http://bit.ly/2tDBAQi
Recursively map all Get-DomainTrustMapping Only return shares the -CheckShareAccess
current user can read http://www.harmj0y.net/blog/tag/powerview/
domain trusts
https://specterops.io
Version 1.3. Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.