Potential Enumeration via Active Directory Web Service

 1[metadata]
 2creation_date = "2024/01/31"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP
11port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential Enumeration via Active Directory Web Service"
18references = ["https://github.com/FalconForceTeam/SOAPHound"]
19risk_score = 47
20rule_id = "9c951837-7d13-4b0c-be7a-f346623c8795"
21severity = "medium"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Discovery",
27    "Data Source: Elastic Defend",
28    "Resources: Investigation Guide",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34sequence by process.entity_id with maxspan=3m
35 [library where host.os.type == "windows" and
36  dll.name : ("System.DirectoryServices*.dll", "System.IdentityModel*.dll") and
37  not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
38  not process.executable :
39                ("?:\\windows\\system32\\dsac.exe",
40                 "?:\\program files\\powershell\\?\\pwsh.exe",
41                 "?:\\windows\\system32\\windowspowershell\\*.exe",
42                 "?:\\windows\\syswow64\\windowspowershell\\*.exe",
43                 "?:\\program files\\microsoft monitoring agent\\*.exe",
44                 "?:\\windows\\adws\\microsoft.activedirectory.webservices.exe")]
45 [network where host.os.type == "windows" and destination.port == 9389 and source.port >= 49152 and
46  network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")]
47'''
48note = """## Triage and analysis
49
50> **Disclaimer**:
51> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
52
53### Investigating Potential Enumeration via Active Directory Web Service
54
55Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) over a network, providing a web-based interface for directory services. Adversaries may exploit ADWS to enumerate network resources and user accounts, gaining insights into the environment. The detection rule identifies suspicious activity by monitoring processes that load AD-related modules and establish network connections to the ADWS port, indicating potential unauthorized enumeration attempts.
56
57### Possible investigation steps
58
59- Review the process entity ID to identify the specific process that triggered the alert and gather details such as the process name, executable path, and user context.
60- Examine the user ID associated with the process to determine if it belongs to a legitimate user or service account, and verify if the user has a history of accessing Active Directory resources.
61- Investigate the network connection details, focusing on the destination IP address and port 9389, to identify the target server and assess if it is a legitimate Active Directory Web Service endpoint.
62- Check for any recent changes or unusual activity on the host machine, such as new software installations or configuration changes, that could explain the loading of Active Directory-related modules.
63- Correlate the alert with other security events or logs from the same timeframe to identify any patterns or additional suspicious activities that might indicate a broader attack or reconnaissance effort.
64
65### False positive analysis
66
67- Legitimate administrative tools or scripts may load Active Directory-related modules and connect to the ADWS port. To handle this, create exceptions for known administrative processes that regularly perform these actions.
68- Scheduled tasks or automated scripts running under service accounts might trigger the rule. Identify these tasks and exclude their associated user IDs or process paths from the detection rule.
69- Security or monitoring software that queries Active Directory for legitimate purposes can cause false positives. Review and whitelist these applications by adding their executable paths to the exclusion list.
70- Development or testing environments where developers frequently interact with Active Directory services may generate alerts. Consider excluding specific user IDs or process paths associated with these environments to reduce noise.
71- Ensure that any exceptions or exclusions are regularly reviewed and updated to reflect changes in the environment or administrative practices.
72
73### Response and remediation
74
75- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
76- Terminate any suspicious processes identified in the alert that are loading Active Directory-related modules and making network connections to the ADWS port.
77- Conduct a thorough review of the affected system's user accounts and permissions to identify any unauthorized changes or access.
78- Reset credentials for any accounts that were potentially compromised or used in the suspicious activity.
79- Implement network segmentation to limit access to the ADWS port (9389) to only trusted systems and users.
80- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
81- Update and enhance monitoring rules to detect similar enumeration attempts in the future, focusing on unusual process behavior and network connections to critical services."""
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1018"
88name = "Remote System Discovery"
89reference = "https://attack.mitre.org/techniques/T1018/"
90
91
92[rule.threat.tactic]
93id = "TA0007"
94name = "Discovery"
95reference = "https://attack.mitre.org/tactics/TA0007/"