Potential Enumeration via Active Directory Web Service
Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/01/31"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port.
13Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.library-*", "logs-endpoint.events.network-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Enumeration via Active Directory Web Service"
20references = ["https://github.com/FalconForceTeam/SOAPHound"]
21risk_score = 47
22rule_id = "9c951837-7d13-4b0c-be7a-f346623c8795"
23severity = "medium"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29sequence by process.entity_id with maxspan=3m
30 [library where host.os.type == "windows" and
31 dll.name : ("System.DirectoryServices*.dll", "System.IdentityModel*.dll") and
32 not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
33 not process.executable :
34 ("?:\\windows\\system32\\dsac.exe",
35 "?:\\program files\\powershell\\?\\pwsh.exe",
36 "?:\\windows\\system32\\windowspowershell\\*.exe",
37 "?:\\windows\\syswow64\\windowspowershell\\*.exe",
38 "?:\\program files\\microsoft monitoring agent\\*.exe",
39 "?:\\windows\\adws\\microsoft.activedirectory.webservices.exe")]
40 [network where host.os.type == "windows" and destination.port == 9389 and source.port >= 49152 and
41 network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")]
42'''
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46
47[[rule.threat.technique]]
48id = "T1018"
49name = "Remote System Discovery"
50reference = "https://attack.mitre.org/techniques/T1018/"
51
52[rule.threat.tactic]
53id = "TA0007"
54name = "Discovery"
55reference = "https://attack.mitre.org/tactics/TA0007/"
References
Related rules
- Account Discovery Command via SYSTEM Account
- AdFind Command Activity
- Enumerating Domain Trusts via DSQUERY.EXE
- Enumerating Domain Trusts via NLTEST.EXE
- Enumeration of Administrator Accounts