Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/the-useless-one/pywerview/llms.txt

Use this file to discover all available pages before exploring further.

invoke-userhunter is PywerView’s primary lateral movement reconnaissance command. It enumerates all computers in the domain via LDAP, then queries each host using get-netsession and get-netloggedon to discover where target users are currently logged in or have active sessions. By default it hunts for members of the Domain Admins group, but you can target any group, a specific username, or supply your own user list. Multi-threading significantly reduces enumeration time across large environments, and stealth mode limits queries to high-traffic servers (DFS, DCs, file servers) to reduce noise and detection risk.
User hunting generates substantial network traffic as it contacts every domain computer in sequence. Security tools such as EDR agents and SIEM correlation rules may detect the rapid succession of SMB and RPC connections and alert on or block the activity. Assess your authorisation and environment risk before running this command against production networks.
Use --stealth to restrict queries to DFS servers, domain controllers, and file servers — machines where privileged users are statistically more likely to have sessions — rather than contacting every computer in the domain. Combine with --stealth-source dfs dc to narrow it further.

Flags

Domain Controller Connection

-t, --dc-ip
string
required
IP address of the domain controller used to enumerate computers and users via LDAP.
-w, --workgroup
string
Name of the domain to authenticate with.
-u, --user
string
Username for authentication.
-p, --password
string
Password associated with the specified username.
--hashes
string
NTLM hashes for pass-the-hash authentication. Format: [LMHASH:]NTHASH.
-k
boolean
Use Kerberos authentication. Reads credentials from the KRB5CCNAME ccache file.
--tls
boolean
Force a TLS connection to the domain controller.

Target Computer Selection

--computername
string[]
One or more specific hostnames or IPs to hunt against (space-separated). Skips LDAP computer enumeration when provided.
--computerfile
string
Path to a file containing hostnames or IPs to hunt against, one per line.
--computer-filter
string
Custom LDAP filter applied when querying computers from the domain controller.
--computer-adspath
string
ADS path to use when searching for computers in LDAP (e.g., to restrict to a specific OU).
--unconstrained
boolean
Only hunt against computers that have unconstrained Kerberos delegation enabled.
-d, --domain
string
Domain to query for target machines. Defaults to the authenticating user’s domain.

Target User Selection

--groupname
string
Name of a domain group whose members to hunt for. Defaults to Domain Admins when no other user targeting flag is provided.
--targetserver
string
Hunt for users who are effective local administrators on this specific server (resolved via get-netlocalgroup).
--username
string
Hunt for a single specific username.
--user-filter
string
Custom LDAP filter applied when querying target users from the domain controller.
--user-adspath
string
ADS path used when searching for target users in LDAP.
--userfile
string
Path to a file containing usernames to hunt for, one per line.
--admin-count
boolean
Only target users where adminCount=1 in Active Directory.
--allow-delegation
boolean
Only target user accounts that are not marked as sensitive and not allowed for delegation.
--foreign-users
boolean
Only return users whose domain does not match the searched domain (cross-domain sessions).

Hunt Behaviour

--threads
integer
Number of parallel worker threads to use when querying target hosts. Default: 1.
--check-access
boolean
After finding a target session, attempt to verify whether the running user has local administrator access on the host where the session was found.
--stealth
boolean
Only query commonly-used servers (DFS, domain controllers, and file servers) rather than all domain computers. Significantly reduces network noise.
--stealth-source
string[]
Which server sources to query in stealth mode. Accepts one or more of: dfs, dc, file. Default: all three.
--stop-on-success
boolean
Stop hunting as soon as the first matching session is found.
--show-all
boolean
Return all sessions found, regardless of whether they match a target user.
-l, --logging-level
string
Logging verbosity sent to stderr. Choices: CRITICAL (default), WARNING, DEBUG, ULTRA.
--json
boolean
Print results as JSON instead of the default human-readable format.

Examples

# Hunt for Domain Admins across all domain computers
pywerview invoke-userhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'Domain Admins'

# Hunt for a specific user
pywerview invoke-userhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob

# Stealth hunt — only query DFS, DC, and file servers
pywerview invoke-userhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --stealth --groupname 'Domain Admins'

# Stealth hunt limited to domain controllers and DFS only
pywerview invoke-userhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --stealth --stealth-source dfs dc --groupname 'Domain Admins'

# Multi-threaded hunt with 10 threads
pywerview invoke-userhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --threads 10 --groupname 'Domain Admins'

# Stop after the first matching session
pywerview invoke-userhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob --stop-on-success

# Check local admin access on hosts where the user is found
pywerview invoke-userhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --username bob --check-access

# Hunt only users with adminCount=1
pywerview invoke-userhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --admin-count

# JSON output
pywerview invoke-userhunter -t dc.contoso.com -u alice -p 'P@ssw0rd' -w contoso.com \
  --groupname 'Domain Admins' --json

Build docs developers (and LLMs) love

Get started for freeTalk to us