FrameworkGuidesModulesRelease NotesAbout

Mastering Veil-PowerView: Active Directory Reconnaissance Techniques 2026

Deep dive into Veil-PowerView's Active Directory reconnaissance capabilities for 2026, with detection strategies and hardening guidance for defenders securing AD environments.

Mastering Veil-PowerView: Active Directory Reconnaissance Techniques (2026)

Active Directory is the backbone of enterprise identity management, and it is also the richest reconnaissance target an attacker encounters after gaining initial access. Veil-PowerView provides a comprehensive toolkit for enumerating AD environments — users, groups, trusts, GPOs, ACLs, and delegation configurations — all through standard LDAP queries that blend with normal domain traffic.

Understanding what PowerView reveals about your AD environment is essential for defenders because every piece of information an attacker can enumerate through PowerView is information you should be protecting, monitoring, or restructuring. This article covers the current state of AD reconnaissance techniques, what changed in 2025–26, and practical detection and hardening strategies.

What Changed Recently

AD reconnaissance with PowerView has evolved alongside changes in the AD security landscape:

  • LDAP channel binding and signing enforcement — Microsoft has been tightening LDAP security. Windows Server 2025 enforces LDAP signing by default. PowerView adapts by using authenticated LDAP sessions that comply with signing requirements.
  • Tiered administration models — More organizations implement the Microsoft ESAE (Enhanced Security Administrative Environment) model or derivatives. PowerView enumeration helps red teams validate whether tiering is actually enforced.
  • AD CS (Certificate Services) enumeration — Following the ESC1-ESC8 research, AD CS enumeration has become a standard part of AD reconnaissance. PowerView extensions and complementary tools enumerate certificate templates, CAs, and enrollment permissions.
  • Azure AD / Entra ID hybrid enumeration — Modern environments are hybrid. PowerView handles on-premises AD; complementary tools cover the Azure/Entra ID side. Defenders need to monitor both planes.

Core Reconnaissance Functions

The PowerView usage guide covers the full command reference. Here we focus on the functions that matter most for detection and defense:

Domain and Trust Enumeration

  • Get-Domain — Returns domain object information including domain controllers, functional level, and trust relationships
  • Get-DomainTrust — Enumerates all trust relationships. Bi-directional trusts between forests are particularly interesting to attackers because they enable cross-forest access.
  • Get-Forest — Maps the forest structure including child domains and trust chains

Why it matters for defenders: Trust enumeration reveals lateral movement paths between domains. If a trust exists that you did not expect or that is no longer needed, it is an unnecessary attack surface.

User and Group Enumeration

  • Get-DomainUser — Enumerates all domain users with attributes including group memberships, last logon, password last set, and service principal names
  • Get-DomainGroup — Lists groups and their members, including nested group memberships
  • Get-DomainGroupMember -Identity "Domain Admins" -Recurse — Resolves the effective membership of high-privilege groups through nested memberships

Why it matters for defenders: Knowing which accounts are effectively Domain Admin — including through nested group membership — is fundamental. If your DA group has 47 effective members instead of the 5 you expected, you have an access control problem.

ACL and Delegation Enumeration

  • Find-InterestingDomainAcl — Identifies ACL entries that grant dangerous permissions (GenericAll, WriteDACL, WriteOwner, etc.) to non-admin users
  • Get-DomainObjectAcl — Returns the full DACL for a specific AD object
  • Find-DomainUserLocation — Identifies which machines domain users are currently logged into

Why it matters for defenders: Misconfigured ACLs are one of the most common AD attack paths. An account with WriteDACL on the Domain Admins group can add itself as a member. These permissions are often granted accidentally and never audited.

GPO and Policy Enumeration

  • Get-DomainGPO — Lists all Group Policy Objects and their links
  • Get-DomainGPOLocalGroup — Identifies GPOs that modify local group memberships on domain computers
  • Get-GPODelegation — Finds who can modify specific GPOs

Why it matters for defenders: GPO modification permissions allow an attacker to push arbitrary configuration changes — including scheduled tasks, startup scripts, and security policy modifications — to all computers linked to that GPO.

Where Defenders Can Observe AD Reconnaissance

LDAP Monitoring

  • Windows Event ID 1644 — LDAP search query logging. When enabled, it records the LDAP filter and attributes requested. PowerView queries are distinguishable by their specific filter patterns.
  • Volume anomalies — PowerView enumeration generates significantly more LDAP queries than normal user activity. A single workstation generating hundreds of LDAP searches in minutes is suspicious.
  • Attribute request patterns — Queries requesting servicePrincipalName, msDS-AllowedToDelegateTo, or userAccountControl are associated with specific attack reconnaissance (Kerberoasting, delegation abuse).

Endpoint Monitoring

  • PowerShell logging — Script Block Logging (Event ID 4104) captures PowerView function calls and parameters. The function names themselves (Get-DomainUser, Find-InterestingDomainAcl) are detection indicators.
  • Process monitoring — PowerShell processes making extensive LDAP connections, especially from non-administrative workstations.

Network Monitoring

  • LDAP traffic analysis — Monitor the volume and pattern of LDAP queries from each endpoint. Reconnaissance tools generate bursts of LDAP traffic that differ from normal authentication and group policy refresh patterns.
  • Kerberos request anomalies — PowerView's Kerberoasting functions trigger TGS requests for service accounts. A single user requesting TGS tickets for many different SPNs is a classic Kerberoasting indicator.

Common Detection Blind Spots

  1. LDAP logging not enabled — Event ID 1644 logging is not enabled by default. Without it, LDAP reconnaissance is invisible.
  2. No baseline for LDAP volume — Without a baseline of normal LDAP query patterns, anomalous reconnaissance activity cannot be distinguished from normal operation.
  3. Focus on tools over techniques — Detecting "PowerView" by name misses equivalent functionality in other tools (SharpView, ADModule, custom scripts). Detect the LDAP query patterns, not the tool name.
  4. Ignoring nested group memberships — Many organizations audit direct group memberships but do not track effective memberships through nesting. This is exactly the information PowerView's recursive enumeration reveals.

Practical Hardening and Monitoring Guidance

For AD Administrators

  • Enable LDAP search query logging — Configure Event ID 1644 logging on domain controllers. Set appropriate thresholds for expensive and long-running queries.
  • Audit and minimize ACL permissions — Regularly audit ACLs on high-value AD objects (Domain Admins group, domain root, AdminSDHolder). Remove unnecessary permissions. Tools like BloodHound and PingCastle automate this analysis.
  • Implement tiered administration — Separate administrative accounts into tiers: Tier 0 (domain controllers), Tier 1 (servers), Tier 2 (workstations). Restrict where each tier's credentials can be used.
  • Clean up stale trusts — Remove domain and forest trusts that are no longer needed. Every trust is an attack path.
  • Enforce LDAP signing and channel binding — Ensure all LDAP communication is signed and uses channel binding to prevent LDAP relay attacks.
  • Audit AD CS — Review certificate templates, enrollment permissions, and CA configurations. The ESC1-ESC8 attack paths should be assessed and mitigated.

For SOC Teams

  • Build Kerberoasting detections — Alert on accounts requesting TGS tickets for multiple different SPNs within a short time window. This is a high-fidelity indicator of Kerberoasting reconnaissance.
  • Monitor PowerView function patterns — Script Block Log entries containing PowerView function names or their .NET equivalents indicate active AD enumeration.
  • Track LDAP query anomalies — Baseline LDAP query volumes per endpoint and alert on significant deviations.

Lab Testing

Use Veil-PowerView in a controlled lab environment to enumerate your AD configuration and identify the reconnaissance paths that your detection should cover. The PowerView usage guide provides the command reference, and the sandbox lab guide covers safe lab configuration.

For the broader evasion context, see PowerShell hardening best practices for securing the PowerShell environment that PowerView runs in, and the LOLBAS article for understanding how built-in tools are used alongside enumeration frameworks.

Related Reading

Every piece of information PowerView enumerates is information your AD environment is exposing. If you do not want attackers to know who your Domain Admins are, what permissions they have, and where they are logged in — start hardening the access controls and monitoring the queries that reveal it.