Veil-PowerView

Veil-PowerView is the Active Directory enumeration component of the Veil Framework. It provides situational awareness capabilities for mapping domain structures, trust relationships, privileged accounts, and group policies. For defensive teams, understanding how PowerView operates is essential for detecting AD reconnaissance activity.

Anyone who has worked in an enterprise environment knows that Active Directory is the backbone — and the primary target. PowerView's value to defenders lies in revealing what AD reconnaissance looks like from the wire and from the event log.

What PowerView Does

PowerView operates by querying Active Directory through standard LDAP and Windows API calls. It does not exploit vulnerabilities — it uses the same interfaces that legitimate administrative tools use. This is precisely what makes it difficult to detect and precisely why defenders need to understand it.

Core capabilities include:

• Domain enumeration — Mapping domain controllers, forest structure, and trust relationships
• User discovery — Identifying privileged accounts, service accounts, and recently active users
• Share enumeration — Finding accessible network shares across the domain
• GPO analysis — Reviewing group policy objects for misconfigurations
• Session enumeration — Identifying where privileged users are logged in

Defensive Monitoring

Because PowerView uses legitimate APIs, detection relies on behavioral patterns rather than signature matching:

• LDAP query volume — A single workstation generating hundreds of LDAP queries in minutes is anomalous for most environments
• Event ID 4662 — Directory service access auditing captures object access attempts
• Event ID 5136 — Directory service changes auditing
• Network traffic patterns — High-volume LDAP traffic from non-administrative workstations

Configuring these audit policies requires domain controller-level changes. Work with your AD team to enable the relevant audit categories before running PowerView in your lab.

Lab Setup Considerations

PowerView testing requires a lab environment that includes at minimum:

• A Windows Server domain controller
• Two or more domain-joined workstations
• Proper DNS configuration
• Audit policies enabled for directory service access

The testing host needs domain credentials (a standard user account is sufficient for most PowerView functions — that is part of what makes it concerning from a defensive perspective).

Related Documentation

• PowerView Usage Guide — Practical usage reference
• PowerView Module Page — Module overview
• Hunting Users — Detecting user enumeration activity
• PowerShell Payloads — PowerShell security considerations
• Framework Overview — Where PowerView fits in the architecture