Potential Enumeration via Active Directory Web Service

Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/01/31"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/01/31"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. 
13Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Enumeration via Active Directory Web Service"
20references = ["https://github.com/FalconForceTeam/SOAPHound"]
21risk_score = 47
22rule_id = "9c951837-7d13-4b0c-be7a-f346623c8795"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29sequence by process.entity_id with maxspan=3m
30 [library where host.os.type == "windows" and 
31  dll.name : ("System.DirectoryServices*.dll", "System.IdentityModel*.dll") and 
32  not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and 
33  not process.executable : 
34                ("?:\\windows\\system32\\dsac.exe", 
35                 "?:\\program files\\powershell\\?\\pwsh.exe", 
36                 "?:\\windows\\system32\\windowspowershell\\*.exe", 
37                 "?:\\windows\\syswow64\\windowspowershell\\*.exe", 
38                 "?:\\program files\\microsoft monitoring agent\\*.exe", 
39                 "?:\\windows\\adws\\microsoft.activedirectory.webservices.exe")]
40 [network where host.os.type == "windows" and destination.port == 9389 and source.port >= 49152 and
41  network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")]
42'''
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47[[rule.threat.technique]]
48id = "T1018"
49name = "Remote System Discovery"
50reference = "https://attack.mitre.org/techniques/T1018/"
51
52[rule.threat.tactic]
53id = "TA0007"
54name = "Discovery"
55reference = "https://attack.mitre.org/tactics/TA0007/"

References

Related rules

to-top