PowerView & SharpView

PowerView

PowerView returns queries in PowerShell objects, which can be piped to other cmdlets. This allows us to chain multiple commands together. View "Penetration Testing" & "Active Directory" pages for more. This page will cover PowerView for Cobalt Strike beacons & other C2s.

Import PowerView - CS Beacon

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

SharpView

SharpView is a C# port of PowerView. It has the same functionality. However, does not have the same piping capability.

Use SharpView - CS Beacon

We can execute the same PowerView commands we would with execute-assembly. Below we execute PowerView's Get-Domain.

beacon> execute-assembly C:\Tools\SharpView.exe Get-Domain 

\

Get-Domain

beacon> powershell Get-Domain

Forest                  : rotta.dev
DomainControllers       : {dc2.dev.rotta.dev}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : rotta.dev
PdcRoleOwner            : dc2.dev.rotta.dev
RidRoleOwner            : dc2.dev.rotta.dev
InfrastructureRoleOwner : dc2.dev.rotta.dev
Name                    : dev.rotta.dev

Get-DomainController

Returns the domain controllers for the current domain.

beacon> powershell Get-DomainController | select Forest, Name, OSVersion | fl

Forest    : rotta.dev
Name      : dc2.dev.rotta.dev
OSVersion : Windows Server 2022 Datacenter

Get-ForestDomain

Returns all domains for the current forest or the forest specified by -Forest.

beacon> powershell Get-ForestDomain

Forest                  : rotta.dev
DomainControllers       : {dc.rotta.dev}
Children                : {dev.rotta.dev}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : 
PdcRoleOwner            : dc.rotta.dev
RidRoleOwner            : dc.rotta.dev
InfrastructureRoleOwner : dc.rotta.dev
Name                    : rotta.dev

Forest                  : rotta.dev
DomainControllers       : {dc2.dev.rotta.dev}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : rotta.dev
PdcRoleOwner            : dc2.dev.rotta.dev
RidRoleOwner            : dc2.dev.rotta.dev
InfrastructureRoleOwner : dc2.dev.rotta.dev
Name                    : dev.rotta.dev

Get-DomainPolicyData

Returns the default domain policy or the domain controller policy. Good for finding password policy.

beacon> powershell Get-DomainPolicyData | select -expand SystemAccess

MinimumPasswordAge           : 1
MaximumPasswordAge           : 42
MinimumPasswordLength        : 7
PasswordComplexity           : 1
PasswordHistorySize          : 24
LockoutBadCount              : 0
RequireLogonToChangePassword : 0
ForceLogoffWhenHourExpire    : 0
ClearTextPassword            : 0
LSAAnonymousNameLookup       : 0

Get-DomainUser

beacon> powershell Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl

displayname : Samantha Coolio
memberof    : {CN=Internet Users,CN=Users,DC=dev,DC=rottadev,DC=io, CN=IT & PC Support
,CN=Users,DC=dev,DC=rotta,DC=dev}

Note: Most privileges in a domain are delegated for groups, and not individual users. Samantha Coolio is part of IT & PC Support, we can assume they have high privileges.

Get-DomainComputer

Return all computers.

beacon> powershell Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName

dnshostname              
-----------              
dc2.dev.rotta.dev
sql.dev.rotta.dev
internal-web.dev.rotta.dev
pwnbox.dev.rotta.dev
win10.dev.rotta.dev

Get-DomainOU

Search for all organization units (OUs).

beacon> powershell Get-DomainOU -Properties Name | sort -Property Name

name              
----              
Domain Controllers    
SQL Servers       
Internal Web Servers       
Workstations

Get-DomainGPO

Return all Group Policy Objects (GPOs) or a specific GPO object. Note: To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.

beacon> powershell Get-DomainGPO -Properties DisplayName | sort -Property DisplayName

displayname                      
-----------                      
Computer Certificates
Default Domain Controllers Policy
Default Domain Policy
LAPS
Proxy Settings
Server Admins
Vulnerable GPO
Windows Defender
Windows Firewall
Workstation Admins

Get-DomainGroupMember

Return members of specified group.

beacon> powershell Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName

MemberDistinguishedName                             
-----------------------                             
CN=Robert Dumpster,CN=Users,DC=dev,DC=rotta,DC=dev
CN=Administrator,CN=Users,DC=dev,DC=rotta,DC=dev

Get-DomainGPOLocalGroup

Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences.

beacon> powershell Get-DomainGPOLocalGroup | select GPODisplayName, GroupName

GPODisplayName     GroupName            
--------------     ---------            
Workstation Admins DEV\IT & PC Support
Server Admins      DEV\IT & PC Support

Note: "IT & PC Support" group is assigned access to the machines these apply to. Machines connected to "Workstation Admins" & "Server Admins". A big one we're looking for is "Remote Desktop Users".

Get-DomainGPOUserLocalGroupMapping

Enumerates the machines where a specific domain user/group is a member of a specific local group. Note: Useful for finding where domain groups have local admin access.

beacon> powershell Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

ObjectName     : IT & PC Support
GPODisplayName : Server Admins
ContainerName  : {OU=Servers,DC=dev,DC=rotta,DC=dev}
ComputerName   : {internal-website.dev.rotta.dev, sql.dev.rotta.dev}

ObjectName     : IT & PC Support
GPODisplayName : Workstation Admins
ContainerName  : {OU=Workstations,DC=dev,DC=rotta,DC=dev}
ComputerName   : {win10.dev.rotta.dev, win10.dev.rotta.dev}

Get-DomainTrust

Return all domain trusts for the current or specified domain.\

beacon> powershell Get-DomainTrust

SourceName      : dev.rotta.dev
TargetName      : rotta.dev
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 8/15/2022 4:00:00 PM
WhenChanged     : 8/15/2022 4:00:00 PM

Last updated