Uncommon Connection to Active Directory Web Services

Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.

Sigma rule (View on GitHub)

 1title: Uncommon Connection to Active Directory Web Services
 2id: b3ad3c0f-c949-47a1-a30e-b0491ccae876
 3status: test
 4description: |
 5        Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
 6references:
 7    - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
 8    - https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md
 9author: '@kostastsale'
10date: 2024-01-26
11tags:
12    - attack.discovery
13    - attack.t1087
14logsource:
15    category: network_connection
16    product: windows
17detection:
18    selection:
19        Initiated: true
20        DestinationPort: 9389
21    filter_main_dsac:
22        Image: 'C:\Windows\system32\dsac.exe'
23    filter_main_ms_monitoring_agent:
24        Image: 'C:\Program Files\Microsoft Monitoring Agent\'
25    filter_main_powershell:
26        Image|startswith:
27            - 'C:\Program Files\PowerShell\7\pwsh.exe'
28            - 'C:\Program Files\PowerShell\7-preview\pwsh.ex'
29            - 'C:\Windows\System32\WindowsPowerShell\'
30            - 'C:\Windows\SysWOW64\WindowsPowerShell\'
31    condition: selection and not 1 of filter_main_*
32falsepositives:
33    - ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives.
34level: medium

References

Related rules

to-top