PowerView Usage Guide

This guide covers the practical usage of Veil-PowerView for Active Directory enumeration in authorized lab environments. You will learn the core commands, understand what each query reveals about a domain, and — critically — what defensive teams should watch for in event logs when these queries execute.

If you have ever tried to explain to a network administrator why their AD monitoring needs improvement, running PowerView in a lab and showing them the results (and the absence of alerts) is more persuasive than any slide deck.

Before You Start

PowerView requires:

• A domain-joined Windows system or a system with domain credentials
• Network access to a domain controller
• An isolated lab environment (do not run this against production AD)
• Audit logging enabled on your domain controllers (Event IDs 4662, 5136)

Without the audit logging, you are generating activity that nobody can see — which defeats the purpose of the exercise.

Core Enumeration Commands

Domain Information

The fundamental starting point is understanding the domain structure. PowerView's domain enumeration functions reveal:

• The domain name, SID, and functional level
• Domain controller hostnames and IP addresses
• Forest trust relationships
• Sites and subnets

This information is available to any authenticated domain user. That fact alone is worth communicating to your security team.

User Enumeration

User discovery is often the highest-value enumeration activity. PowerView can identify:

• All domain user accounts
• Members of privileged groups (Domain Admins, Enterprise Admins)
• Service accounts (often over-privileged)
• Recently active user sessions
• Users with specific attributes (e.g., unconstrained delegation)

Share Discovery

Network shares frequently contain sensitive data, configuration files, scripts with embedded credentials, and backup files. PowerView's share enumeration identifies accessible shares across the domain.

Group Policy Analysis

Group Policy Objects control security configuration across the domain. PowerView can enumerate GPOs and identify settings relevant to security posture:

• Password policies
• Restricted groups
• Software deployment configurations
• Security template assignments

Defensive Monitoring Checklist

When you run these commands in your lab, verify that your monitoring captures:

| Activity | Expected Event | Source | |---|---|---| | LDAP enumeration | High-volume 389/636 traffic | Network monitoring | | Directory service access | Event ID 4662 | DC security log | | Admin group queries | LDAP filter for adminCount=1 | Network/LDAP inspection | | Share access attempts | Event ID 5140 | File server logs |

If any of these are missing from your logs, you have a detection gap that needs configuration changes.

Operational Considerations

Credential handling: PowerView only needs standard domain user credentials for most functions. If your environment allows standard users to enumerate privileged groups and sessions, that is a finding in itself.

Noise level: PowerView generates noticeable LDAP traffic. In a quiet lab, it is easy to spot. In a production environment with legitimate AD management tools running, it can blend in. This is why behavioral baselines matter.

Timing: Space your enumeration over time rather than running everything at once. Burst activity is easier to detect than distributed queries.

Related

• PowerView Framework Documentation — Module architecture and integration
• Hunting Users — Detecting user enumeration in enterprise environments
• PowerShell Payloads — PowerShell security considerations
• Guides — All available guides