Potential Enumeration via Active Directory Web Service

May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Discovery Data Source: Elastic Defend ·

Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/01/31"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP
11port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential Enumeration via Active Directory Web Service"
18references = ["https://github.com/FalconForceTeam/SOAPHound"]
19risk_score = 47
20rule_id = "9c951837-7d13-4b0c-be7a-f346623c8795"
21severity = "medium"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Discovery",
27    "Data Source: Elastic Defend",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33sequence by process.entity_id with maxspan=3m
34 [library where host.os.type == "windows" and 
35  dll.name : ("System.DirectoryServices*.dll", "System.IdentityModel*.dll") and 
36  not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and 
37  not process.executable : 
38                ("?:\\windows\\system32\\dsac.exe", 
39                 "?:\\program files\\powershell\\?\\pwsh.exe", 
40                 "?:\\windows\\system32\\windowspowershell\\*.exe", 
41                 "?:\\windows\\syswow64\\windowspowershell\\*.exe", 
42                 "?:\\program files\\microsoft monitoring agent\\*.exe", 
43                 "?:\\windows\\adws\\microsoft.activedirectory.webservices.exe")]
44 [network where host.os.type == "windows" and destination.port == 9389 and source.port >= 49152 and
45  network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")]
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1018"
53name = "Remote System Discovery"
54reference = "https://attack.mitre.org/techniques/T1018/"
55
56
57[rule.threat.tactic]
58id = "TA0007"
59name = "Discovery"
60reference = "https://attack.mitre.org/tactics/TA0007/"

References

GitHub - FalconForceTeam/SOAPHound: SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.

SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol. - FalconForceTeam/SOAPHound

Read More

Potential Enumeration via Active Directory Web Service

Elastic rule (View on GitHub)

References

GitHub - FalconForceTeam/SOAPHound: SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.

Related rules