Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Uncommon Connection to Active Directory Web Services

Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
kostastsaleCreated Fri Jan 26b3ad3c0f-c949-47a1-a30e-b0491ccae876windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection

Events for outbound and inbound network connections including DNS resolution.

Detection Logic
Detection Logic4 selectors
detection:
    selection:
        Initiated: true
        DestinationPort: 9389
    filter_main_dsac:
        Image: 'C:\Windows\system32\dsac.exe'
    filter_main_ms_monitoring_agent:
        Image: 'C:\Program Files\Microsoft Monitoring Agent\'
    filter_main_powershell:
        Image|startswith:
            - 'C:\Program Files\PowerShell\7\pwsh.exe'
            - 'C:\Program Files\PowerShell\7-preview\pwsh.ex'
            - 'C:\Windows\System32\WindowsPowerShell\'
            - 'C:\Windows\SysWOW64\WindowsPowerShell\'
    condition: selection and not 1 of filter_main_*
False Positives

ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives.

References
1
Resolving title…
medium.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
b3ad3c0f-c949-47a1-a30e-b0491ccae876
Status
test
Level
medium
Type
Detection
Created
Fri Jan 26
Author
kostastsale
Path
rules/windows/network_connection/net_connection_win_adws_unusual_connection.yml
Raw Tags
attack.discoveryattack.t1087
View on GitHub