Hunting Users with Veil Framework

User enumeration — identifying accounts, privilege levels, and session locations across a domain — is one of the first things an attacker does after gaining initial access. It is also one of the activities most commonly missed by detection teams, because the queries involved use legitimate APIs that generate limited logging by default.

This page covers how user enumeration works, what telemetry it produces, and how to build detection capabilities that catch it.

Why User Enumeration Matters

Knowing which users exist, which are privileged, and where they are logged in is the foundation for lateral movement and privilege escalation. An attacker who identifies that a Domain Admin is logged into a workstation three hops away has a clear path to follow. Detecting this reconnaissance before the attacker acts on it is a critical defensive opportunity.

Enumeration Techniques

User enumeration in Active Directory environments typically involves:

• LDAP queries — Searching for user objects, group memberships, and attributes
• Net commands — net user, net group, net session and their equivalents
• PowerView functions — Programmatic enumeration through PowerShell
• RPC calls — SAM-R queries for user and group information
• SAMR enumeration — Remote SAM access for local account discovery

Each technique leaves different footprints in different log sources. A comprehensive detection strategy covers all of them.

Telemetry Sources

Domain Controller Logs

• Event ID 4662 — Directory service access (requires "Audit Directory Service Access" enabled)
• Event ID 4624 — Logon events showing where accounts authenticate
• Event ID 4769 — Kerberos service ticket operations

Network Traffic

• LDAP query patterns — Volume and content of LDAP searches
• SMB/RPC traffic — SAM-R and LSARPC enumeration calls
• Kerberos traffic — Anomalous service ticket requests

Endpoint Telemetry

• Process creation — Execution of net.exe, dsquery.exe, or PowerShell with enumeration commands
• Script block logging — PowerShell Event ID 4104 capturing enumeration scripts

Building Detection

Effective user enumeration detection requires correlation across multiple data sources:

1. LDAP query anomaly detection — A standard user querying for all Domain Admins is anomalous in most environments
2. Session enumeration alerts — Repeated NetSessionEnum calls from a single source
3. Privilege escalation path monitoring — Alert when enumeration targets privileged accounts specifically
4. Time-based correlation — Enumeration followed by lateral movement attempts indicates progression through the kill chain

Lab Testing Approach

To test your detection capabilities:

1. Enable all relevant audit logging on your lab domain controller
2. Configure PowerShell script block logging on all endpoints
3. Run user enumeration techniques from a test account
4. Verify detection at each telemetry layer
5. Document blind spots and tune your detection rules

The results often reveal that organizations have decent network-level visibility but poor domain controller audit logging, or vice versa. The lab exercise identifies these asymmetries.

Related

• Hunting Sensitive Data — Data discovery detection
• PowerView Usage Guide — AD enumeration tooling
• PowerView Framework Documentation — Module reference
• Guides — All available guides