Potential Enumeration via Active Directory Web Service
Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/01/31"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP
11port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential Enumeration via Active Directory Web Service"
18references = ["https://github.com/FalconForceTeam/SOAPHound"]
19risk_score = 47
20rule_id = "9c951837-7d13-4b0c-be7a-f346623c8795"
21severity = "medium"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Discovery",
27 "Data Source: Elastic Defend",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33sequence by process.entity_id with maxspan=3m
34 [library where host.os.type == "windows" and
35 dll.name : ("System.DirectoryServices*.dll", "System.IdentityModel*.dll") and
36 not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
37 not process.executable :
38 ("?:\\windows\\system32\\dsac.exe",
39 "?:\\program files\\powershell\\?\\pwsh.exe",
40 "?:\\windows\\system32\\windowspowershell\\*.exe",
41 "?:\\windows\\syswow64\\windowspowershell\\*.exe",
42 "?:\\program files\\microsoft monitoring agent\\*.exe",
43 "?:\\windows\\adws\\microsoft.activedirectory.webservices.exe")]
44 [network where host.os.type == "windows" and destination.port == 9389 and source.port >= 49152 and
45 network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")]
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1018"
53name = "Remote System Discovery"
54reference = "https://attack.mitre.org/techniques/T1018/"
55
56
57[rule.threat.tactic]
58id = "TA0007"
59name = "Discovery"
60reference = "https://attack.mitre.org/tactics/TA0007/"
References
-
SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol. - FalconForceTeam/SOAPHound
Read More
Related rules
- Delayed Execution via Ping
- Enumeration of Users or Groups via Built-in Commands
- Execution from a Removable Media with Network Connection
- Expired or Revoked Driver Loaded
- First Time Seen Driver Loaded