PowerView Cheatsheet

Cheatsheet

AV/EDR Bypass

TOOL---Invoke-Obfuscation#tool-info

Technique Info

How to Use Invoke-Obfuscation to Obfuscate PowerShell Scripts

Import-Module ./Invoke-Obfuscation.psd1 
Invoke-Obfuscation 
# Then follow prompts: 
SET SCRIPTPATH C:\path\to\Invoke-Mimikatz.ps1 
OKEN ALL 1 
# Select obfuscation level 
1
OUT C:\path\to\obfuscated-Invoke-Mimikatz.ps1

Link to original

Commands

Get information on Domain

Command

Get-Domain # current domain
Get-Domain -Domain essos.local # different domain

Example

Get Domain SID

Command

Get-DomainSID # current domain
Get-DomainSID -Domain essos.local # different domain

Example

Get Domain Users

Command

# current domain
Get-DomainUser -Properties name,lastlogon,passwdlastset,badpwdcount
 
# different domain
Get-DomainUser -Domain essos.local -Properties name,lastlogon,passwdlastset,badpwdcount ```

Example

Get Domain Policy Information

Command

# SystemAccess Information
Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
 
# KerberosPolicy Information

Get-DomainPolicy | Select-Object -ExpandProperty KerberosPolicy

Different Domain

Get-DomainPolicy -Domain essos.local | Select-Object -ExpandProperty KerberosPolicy

Example

Get Domain Controller

Command

Get-DomainController # current domain
 
Get-DomainController -Domain essos.local # different domain 

Example

Get All Domains in the Current Forest

Command

Get-ForestDomain 

Example

Get a List of Domain Members That Belong to a Particular Domain Group

Command

Get-DomainGroupMember -Identity "domain admins" -Recurse 

Example

Get Domain Controller Computer Information

Command

Get-DomainComputer -Properties samaccountname,dnshostname,operatingsystem,lastlogon 

Example

Get Logged on Users for a Computer

Command

Get-NetLoggedOn -ComputerName KINGSLANDING 

Example

Get Domain Trust Information

Command

Get-DomainTrust # perspective of current domain
 
Get-DomainTrust -Domain essos.local # perspective of a different domain

Example

Get Forest Trust Information

Command

Get-ForestTrust # perspective of current forest
 
Get-ForestTrust -Forest essos.local # perspective of a different forest

Example

Enumerate Object ACLs

Command

Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose 

Example

INSERT_IMAGE_HERE

Get a List of GPOs

Command

Get-DomainGPO
Get-DomainGPO -ComputerIdentity dcorp-student1

Example

INSERT_IMAGE_HERE

Find all machines on the current domain where the current user has local admin access

Command

Find-LocalAdminAccess 

Example

INSERT_IMAGE_HERE

Find all machines on the current domain where the current user has local admin access using WMI

Command

Find-WMLocalAdminAccess.ps1 

Example

INSERT_IMAGE_HERE

Find all machines on the current domain where the current user has local admin access using PSRemoting

Command

FindPSRemotingLocalAdminAccess.ps1 

Example

INSERT_IMAGE_HERE

Find computers where a specific group has sessions

Command

Find-DomainUserLocation -UserGroupIdentity "RDPUsers" 

Example

INSERT_IMAGE_HERE

Get services with unquoted pathsand spaces in their name

Command

Get-ServiceUnquoted -Verbose 

Example

INSERT_IMAGE_HERE

Get services where the current user can write to its binary path or change arguments to the binary

Command

Get-ModifiableServiceFile -Verbose 

Example

INSERT_IMAGE_HERE

Get the services whose configuration current user can modify.

Command

Get-ModifiableService -Verbose 

Example

INSERT_IMAGE_HERE