PowerView: The Ultimate Tool for Active Directory Recon
PowerView is a powerful PowerShell tool designed for AD enumeration. It’s part of the PowerSploit framework and is used to map out domain relationships, user permissions, trusts, group memberships, and more — all without touching a GUI.
As a pentester, understanding PowerView is crucial. It helps you find misconfigurations, high-value targets, and privilege escalation paths inside Windows domains — all from a low-privileged user account.
Table of Contents
- What is PowerView?
- How to Use PowerView
- Key Recon Techniques and Commands
- Privilege Escalation & Post-Exploitation Commands
- OpSec Considerations
- TryHackMe Labs to Practice
- Summary
1. What is PowerView?
PowerView is a PowerShell-based tool for Active Directory (AD) enumeration. It was developed to help red teamers and pentesters gather information about domain environments. Think of it as your AD x-ray machine — revealing users, groups, ACLs, trusts, and relationships in fine detail.
Unlike BloodHound (which collects data and visualizes it), PowerView is scriptable and lightweight. It’s ideal for stealthy, live recon during engagements.
2. How to Use PowerView
Importing PowerView:
Import-Module .\PowerView.ps1
If you’re working on a system without AMSI or Defender blocking, you can run it directly. Otherwise, obfuscation or AMSI bypasses may be needed.
Tip: Use Invoke-Obfuscation if necessary.
3. Key Recon Techniques and Commands
Get Domain Info
Get-Domain
Basic info about the current domain.
Get All Users
Get-DomainUser
List all domain users.
Get-DomainUser -SamAccountName username
Detailed info on a specific user.
Get All Groups
Get-DomainGroup
Enumerate all domain groups.
Get-DomainGroupMember -Identity "Domain Admins"
See who’s in a specific group.
Get All Computers
Get-DomainComputer
List all machines in the domain.
Get-DomainComputer -OperatingSystem "*Server*"
Filter for servers (great targets).
Trust Mapping
Get-DomainTrust
Find domain-to-domain trust relationships — essential in multi-domain forests.
GPO Enumeration
Get-DomainGPO
List all Group Policy Objects.
Find-GPOLocation -Verbose
Find machines affected by specific GPOs.
Get Logged-On Users
Get-NetLoggedon -ComputerName TARGET
See who’s logged in remotely (requires local admin or creds).
Invoke-UserHunter
Find where domain users are logged in.
Invoke-StealthUserHunter
Same thing, but with fewer queries — better OPSEC.
4. Privilege Escalation & Post-Exploitation
Find Privileged Users on Hosts
Invoke-UserHunter
Used to find users in high-priv groups logged into machines you can access.
ACL Abuse
Invoke-ACLScanner
Scans AD objects for modifiable permissions — useful for object takeovers.
Get-ObjectAcl -SamAccountName targetuser -ResolveGUIDs
Shows ACLs on a user object. Look for GenericWrite, WriteOwner, WriteDacl, etc.
Sessions
Get-NetSession -ComputerName TARGET
Lists active SMB sessions — useful for lateral movement.
Object Delegation (Unconstrained/Constrained)
Get-DomainComputer -Unconstrained
Find machines with unconstrained delegation.
Get-DomainUser -TrustedToAuth
Users with constrained delegation rights — juicy targets.
OU Enumeration
Get-DomainOU
List all Organizational Units.
Kerberoastable Accounts
Get-DomainUser -SPN
List users with SPNs set — targetable via Kerberoasting.
Find Passwords in Description Fields
Get-DomainUser | Where-Object { $_.description -like "*password*" }
Admins sometimes leave creds in the description field. Goldmine.
5. OpSec Considerations
- PowerView is noisy by default. Every command interacts with the DC via LDAP.
- Use
-Stealthor selective queries to reduce footprint. - Combine with
SharpHoundif you need better stealth and offline analysis.
Summary
PowerView is one of the most versatile tools for Active Directory enumeration. Whether you’re just inside the domain or deep into post-exploitation, it helps uncover the relationships, permissions, and misconfigurations that matter most.
Master it, and you’ll move through AD environments like a ghost in the machine.