Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

PowerView Cheatsheet

PowerShell tool for Active Directory enumeration and exploitation. Part of PowerSploit.


Loading PowerView

Import-Module .\PowerView.ps1

Or with execution policy bypass:

powershell -ep bypass -c "Import-Module .\PowerView.ps1"

Domain Enumeration

Domain Info

Get-Domain
Get-DomainPolicy
Get-DomainSID

Domain Controllers

Get-DomainController
Get-DomainController -Domain other.local

Password Policy

Get-DomainPolicy
(Get-DomainPolicy).SystemAccess

Key fields: MinimumPasswordLength, PasswordComplexity, LockoutBadCount, ResetLockoutCount, LockoutDuration


User Enumeration

All Users

Get-DomainUser
Get-DomainUser | select samaccountname, description, memberof

Specific User

Get-DomainUser -Identity jsmith
Get-DomainUser -Identity jsmith -Properties *

Users with SPNs (Kerberoastable)

Get-DomainUser -SPN

Users with Pre-Auth Disabled (AS-REP Roastable)

Get-DomainUser -PreauthNotRequired

Admin Count Users

Get-DomainUser -AdminCount

Search User Descriptions for Passwords

Get-DomainUser | Where-Object {$_.description -ne $null} | select samaccountname, description

Group Enumeration

All Groups

Get-DomainGroup

Specific Group Members

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Groups a User Belongs To

Get-DomainGroup -UserName jsmith

Computer Enumeration

All Computers

Get-DomainComputer
Get-DomainComputer | select dnshostname, operatingsystem

Find Computers with Unconstrained Delegation

Get-DomainComputer -Unconstrained

Find Computers Where Current User Has Local Admin

Find-LocalAdminAccess

Test Local Admin Access on Specific Host

Test-AdminAccess -ComputerName dc01

Share / File Server Enumeration

Find-DomainShare
Find-DomainShare -CheckShareAccess
Find-InterestingDomainShareFile
Get-DomainFileServer
Get-DomainDFSShare

ACL Enumeration

Find Interesting ACLs

Find-InterestingDomainAcl -ResolveGUIDs

ACLs for Specific Object

Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs

ACLs for Current User

Get-DomainObjectAcl -Identity jsmith -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|WriteProperty|WriteDacl"}

Session / Logon Enumeration

Find Sessions on a Computer

Get-NetSession -ComputerName dc01

Find Logged-on Users

Get-NetLoggedon -ComputerName dc01

Find Where a User is Logged In

Find-DomainUserLocation -Identity admin

Trust Enumeration

Get-DomainTrust
Get-DomainTrust -Domain other.local
Get-ForestDomain
Get-ForestTrust
Get-DomainTrustMapping

Foreign Users and Groups

Get-DomainForeignUser
Get-DomainForeignGroupMember

GPO Enumeration

Get-DomainGPO
Get-DomainGPO -ComputerIdentity dc01

OU Enumeration

Get-DomainOU
Get-DomainOU | select name, distinguishedname

Credential Flags (Cross-Domain)

FlagDescription
-Domain other.localTarget different domain
-Server dc01.other.localTarget specific DC
-Credential $credUse alternate credentials

Using Alternate Credentials

$pass = ConvertTo-SecureString 'Password123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('DOMAIN\user', $pass)
Get-DomainUser -Credential $cred

Security Control Enumeration

These are built-in PowerShell cmdlets (not PowerView) commonly used alongside AD enumeration to assess host defenses.

Windows Defender Status

Get-MpComputerStatus

Key fields: RealTimeProtectionEnabled, AntivirusEnabled, BehaviorMonitorEnabled

AppLocker Policy

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

PowerShell Language Mode

$ExecutionContext.SessionState.LanguageMode

ConstrainedLanguage = restricted; FullLanguage = unrestricted.


Utility Functions

Export Results to CSV

Get-DomainUser | Export-PowerViewCSV -Path users.csv

Convert Name to SID

ConvertTo-SID -ObjectName "Domain Admins"

Request Kerberos Ticket for SPN

Get-DomainSPNTicket -SPN "MSSQLSvc/sql01.domain.local:1433"

Tips

  • Pair with BloodHound for visual attack path analysis
  • Find-LocalAdminAccess can be noisy — scans all domain computers
  • Use -Properties to limit returned attributes for faster queries
  • SharpView is a .NET port for environments where PowerShell is restricted
  • BC-Security maintains an updated fork with additions like Get-NetGmsa (Group Managed Service Accounts)
  • Get-DomainGroupMember -Recurse reveals nested group membership (critical for finding hidden privilege escalation)