Uncommon Connection to Active Directory Web Services

Severity: medium
Author: @kostastsale
Source: upstream

Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1087` Account Discovery

Event coverage

Provider	Event ID	Title
Sysmon	3	Network connection

Stages and Predicates

Stage 1: `selection`

DestinationPort: 9389
Initiated: true

Stage 2: `not 1 of filter_main_*`

or:
Image: 'C:\Program Files\Microsoft Monitoring Agent\'
Image: 'C:\Windows\system32\dsac.exe'
Image|startswith: 'C:\Program Files\PowerShell\7-preview\pwsh.ex'
Image|startswith: 'C:\Program Files\PowerShell\7\pwsh.exe'
Image|startswith: 'C:\Windows\SysWOW64\WindowsPowerShell\'
Image|startswith: 'C:\Windows\System32\WindowsPowerShell\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`DestinationPort`	eq	`9389` corpus 2 (sigma 1, splunk 1)
`Image`	eq	`C:\Program Files\Microsoft Monitoring Agent\` `C:\Windows\system32\dsac.exe`
`Image`	starts_with	`C:\Program Files\PowerShell\7-preview\pwsh.ex` `C:\Program Files\PowerShell\7\pwsh.exe` `C:\Windows\SysWOW64\WindowsPowerShell\` `C:\Windows\System32\WindowsPowerShell\`
`Initiated`	eq	`true` corpus 40 (sigma 40)