Uncommon Connection to Active Directory Web Services
Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
Sigma rule (View on GitHub)
1title: Uncommon Connection to Active Directory Web Services
2id: b3ad3c0f-c949-47a1-a30e-b0491ccae876
3status: test
4description: |
5 Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
6references:
7 - https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
8 - https://github.com/FalconForceTeam/FalconFriday/blob/master/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md
9author: '@kostastsale'
10date: 2024-01-26
11tags:
12 - attack.discovery
13 - attack.t1087
14logsource:
15 category: network_connection
16 product: windows
17detection:
18 selection:
19 Initiated: true
20 DestinationPort: 9389
21 filter_main_dsac:
22 Image: 'C:\Windows\system32\dsac.exe'
23 filter_main_ms_monitoring_agent:
24 Image: 'C:\Program Files\Microsoft Monitoring Agent\'
25 filter_main_powershell:
26 Image|startswith:
27 - 'C:\Program Files\PowerShell\7\pwsh.exe'
28 - 'C:\Program Files\PowerShell\7-preview\pwsh.ex'
29 - 'C:\Windows\System32\WindowsPowerShell\'
30 - 'C:\Windows\SysWOW64\WindowsPowerShell\'
31 condition: selection and not 1 of filter_main_*
32falsepositives:
33 - ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives.
34level: medium
References
Related rules
- HackTool - SOAPHound Execution
- Malicious PowerShell Commandlets - ProcessCreation
- Potential Pikabot Discovery Activity
- Hacktool Ruler
- Malicious PowerShell Commandlets - PoshModule