IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Potential Enumeration via Active Directory Web Service
editPotential Enumeration via Active Directory Web Service
editIdentifies processes loading Active Directory related modules followed by a network connection to the ADWS dedicated TCP port. Adversaries may abuse the ADWS Windows service that allows Active Directory to be queried via this web service.
Rule type: eql
Rule indices:
- logs-endpoint.events.library-*
- logs-endpoint.events.network-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Discovery
- Data Source: Elastic Defend
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editsequence by process.entity_id with maxspan=3m
[library where host.os.type == "windows" and
dll.name : ("System.DirectoryServices*.dll", "System.IdentityModel*.dll") and
not user.id in ("S-1-5-18", "S-1-5-19", "S-1-5-20") and
not process.executable :
("?:\\windows\\system32\\dsac.exe",
"?:\\program files\\powershell\\?\\pwsh.exe",
"?:\\windows\\system32\\windowspowershell\\*.exe",
"?:\\windows\\syswow64\\windowspowershell\\*.exe",
"?:\\program files\\microsoft monitoring agent\\*.exe",
"?:\\windows\\adws\\microsoft.activedirectory.webservices.exe")]
[network where host.os.type == "windows" and destination.port == 9389 and source.port >= 49152 and
network.direction == "egress" and network.transport == "tcp" and not cidrmatch(destination.ip, "127.0.0.0/8", "::1/128")]
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Remote System Discovery
- ID: T1018
- Reference URL: https://attack.mitre.org/techniques/T1018/