EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Uncommon Connection to Active Directory Web Services

Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.

MITRE ATT&CK

T1087
discovery

Detection Query

selection:
  Initiated: true
  DestinationPort: 9389
filter_main_dsac:
  Image: C:\Windows\system32\dsac.exe
filter_main_ms_monitoring_agent:
  Image: C:\Program Files\Microsoft Monitoring Agent\
filter_main_powershell:
  Image|startswith:
    - C:\Program Files\PowerShell\7\pwsh.exe
    - C:\Program Files\PowerShell\7-preview\pwsh.ex
    - C:\Windows\System32\WindowsPowerShell\
    - C:\Windows\SysWOW64\WindowsPowerShell\
condition: selection and not 1 of filter_main_*

Author

@kostastsale

Created

2024-01-26

Data Sources

windowsNetwork Connection Events

Platforms

windows

References

Tags

attack.discoveryattack.t1087
Raw Content
title: Uncommon Connection to Active Directory Web Services
id: b3ad3c0f-c949-47a1-a30e-b0491ccae876
status: test
description: |
    Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
references:
    - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
    - https://github.com/FalconForceTeam/FalconFriday/blob/a9219dfcfd89836f34660223f47d766982bdce46/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md
author: '@kostastsale'
date: 2024-01-26
tags:
    - attack.discovery
    - attack.t1087
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: true
        DestinationPort: 9389
    filter_main_dsac:
        Image: 'C:\Windows\system32\dsac.exe'
    filter_main_ms_monitoring_agent:
        Image: 'C:\Program Files\Microsoft Monitoring Agent\'
    filter_main_powershell:
        Image|startswith:
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Program Files\PowerShell\7-preview\pwsh.ex'
            - 'C:\Windows\System32\WindowsPowerShell\'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives.
level: medium