π οΈ PowerView / SharpView - AD Enumeration Cheat Sheet
π§ Key Takeaways
- PowerView (PowerShell) and SharpView (.NET/C#) are used for Active Directory enumeration.
- SharpView uses strings (not PowerShell objects), so it doesnβt support piping.
- SharpView is stealthier than PowerView in modern EDR/AV environments.
β
Command Summary
π General Enumeration
Get-DomainPolicy
.\SharpView.exe Get-Domain
.\SharpView.exe Get-DomainOU
Get-DomainUser harry.jones | ConvertFrom-UACValue -showall
.\SharpView.exe Get-DomainUser -KerberosPreauthNotRequired
Get-DomainComputer | select dnshostname, useraccountcontrol
𧩠Misc Functions
Export-PowerViewCSV
Resolve-IPAddress -Hostname <host>
ConvertTo-SID -Name <username>
Convert-ADName -ObjectName <SID>
Invoke-UserImpersonation -Credential $cred
Invoke-RevertToSelf
Get-DomainSPNTicket
Invoke-Kerberoast
Get-PathAcl -Path <path>
π Domain / LDAP Functions
Get-DomainDNSZone
Get-DomainDNSRecord
Get-Domain
Get-DomainController
Get-Forest
Get-ForestDomain
Get-ForestGlobalCatalog
Find-DomainObjectPropertyOutlier
Get-DomainUser
New-DomainUser
Set-DomainUserPassword
Get-DomainUserEvent
Get-DomainComputer
Get-DomainObject
Set-DomainObject
Get-DomainObjectAcl
Add-DomainObjectAcl
Find-InterestingDomainAcl
Get-DomainOU
Get-DomainSite
Get-DomainSubnet
Get-DomainSID
Get-DomainGroup
New-DomainGroup
Get-DomainManagedSecurityGroup
Get-DomainGroupMember
Add-DomainGroupMember
Get-DomainFileServer
Get-DomainDFSShare
π‘οΈ GPO Enumeration
Get-DomainGPO
Get-DomainGPOLocalGroup
Get-DomainGPOUserLocalGroupMapping
Get-DomainGPOComputerLocalGroupMapping
Get-DomainPolicy
Get-DomainGPO -ComputerIdentity WS01 | select displayname
π₯οΈ Computer Enumeration
Get-NetLocalGroup -ComputerName <target>
Get-NetLocalGroupMember -ComputerName <target>
Get-NetShare -ComputerName DC01
Get-NetLoggedon -ComputerName <target>
Get-NetSession -ComputerName <target>
Get-RegLoggedOn -ComputerName <target>
Get-NetRDPSession -ComputerName <target>
Test-AdminAccess -ComputerName SQL01
Get-NetComputerSiteName -ComputerName <target>
Get-WMIRegProxy
Get-WMIRegLastLoggedOn
Get-WMIRegCachedRDPConnection
Get-WMIRegMountedDrive
Get-WMIProcess
Find-InterestingFile -Path <searchpath>
Find-DomainUserLocation
Find-DomainProcess
Find-DomainUserEvent
Find-DomainShare
Find-InterestingDomainShareFile
Find-LocalAdminAccess
Find-DomainLocalGroupMember
π Domain Trust Functions
Get-DomainTrust
Get-ForestTrust
Get-DomainForeignUser
Get-DomainForeignGroupMember
Get-DomainTrustMapping
net accounts