Evading EDR: How ADWS-Based Enumeration Flies Under CrowdStrike’s Radar + Video

Listen to this Post

Featured Image

Introduction

During a recent penetration test, CrowdStrike Falcon raised an alert when the popular enumeration tool `ldapdomaindump` generated a high volume of LDAP queries—a behavior often flagged as suspicious. However, tools leveraging Active Directory Web Services (ADWS) for similar tasks remained undetected, highlighting a critical gap in EDR coverage. This revelation led to the creation of adwsdomaindump, a fork of `ldapdomaindump` that replaces LDAP with ADWS to perform stealthy Active Directory reconnaissance. In this article, we explore how attackers can exploit this blind spot, provide a step-by-step guide to using adwsdomaindump, and discuss what defenders can do to close the gap.

Learning Objectives

  • Understand why LDAP-based enumeration triggers EDR alerts while ADWS-based activity often goes unnoticed.
  • Learn how ADWS works and how it can be abused for stealthy Active Directory enumeration.
  • Gain practical experience installing and using `adwsdomaindump` for penetration testing and red team operations.

1. Understanding LDAP Enumeration and EDR Detection

Active Directory (AD) enumeration is a fundamental step in post-exploitation and penetration testing. Tools like `ldapdomaindump` rapidly query the domain controller using the Lightweight Directory Access Protocol (LDAP) to extract users, groups, computers, and policies. However, these tools generate a high volume of LDAP queries in a short time, a behavior that modern EDR solutions like CrowdStrike Falcon are tuned to detect as anomalous.

Why LDAP triggers alerts:

  • LDAP queries are typically bursty and follow specific patterns.
  • Automated tools often send numerous requests per second, resembling brute-force or reconnaissance activity.
  • EDR rules look for unusual query rates, specific LDAP filters, or access to sensitive attributes.

To see this in action, a typical `ldapdomaindump` command might look like:

ldapdomaindump -u "DOMAIN\user" -p "password" 10.10.10.10

This tool performs multiple LDAP searches, which can be easily logged and correlated by an EDR.

  1. Introducing ADWS: An Alternative Protocol for AD Queries

Active Directory Web Services (ADWS) is a Windows service that provides a SOAP-based web service interface for managing Active Directory. It is used by Microsoft management tools, including the Active Directory Administrative Center and PowerShell modules. By default, ADWS listens on TCP port 9389 and accepts requests from authenticated users.

Why ADWS is less monitored:

  • ADWS traffic is often considered legitimate administrative activity.
  • Many EDR solutions lack deep inspection of ADWS traffic or rely on default rules that do not flag typical ADWS usage.
  • The `Microsoft.ActiveDirectory.Management.dll` (used by PowerShell) leverages ADWS, making ADWS-based queries appear as normal administrative behavior.

Attackers can abuse this by crafting queries that mimic legitimate ADWS traffic, thereby evading detection.

3. Setting Up adwsdomaindump: A Step-by-Step Guide

The `adwsdomaindump` tool, created by Mathijs Verschuuren, is a fork of `ldapdomaindump` that replaces LDAP with ADWS. It performs the same enumeration but through a different protocol, drastically reducing the chance of triggering EDR alerts.

Installation:

1. Clone the repository from GitHub:

git clone https://github.com/mathijsve/ adwsdomaindump.git

(Note: The exact URL may vary; check the link provided in the original post.)

2. Install dependencies:

cd adwsdomaindump
pip install -r requirements.txt
  1. Ensure you have Python 3.6+ and the necessary libraries (requests, requests_ntlm, etc.).

Basic usage:

python adwsdomaindump.py -u "DOMAIN\user" -p "password" --dc-ip 10.10.10.10

The tool will connect to the ADWS endpoint (typically port 9389) and enumerate domain objects, outputting files similar to `ldapdomaindump` (e.g., domain_users.html, domain_groups.html, etc.).

4. Using adwsdomaindump for Stealthy Enumeration

Once installed, `adwsdomaindump` can be used just like its predecessor, but with a lower detection footprint.

Command options:

– `-u` : Username (DOMAIN\user)
– `-p` : Password
– `–dc-ip` : IP address of the domain controller
– `–secure` : Use HTTPS for ADWS (if supported)
– `–output` : Output directory for results

Example:

python adwsdomaindump.py -u "CORP\jdoe" -p "P@ssw0rd" --dc-ip 192.168.1.10 --output ./enum_results

The tool will generate HTML and JSON files containing detailed information about the domain. Because it uses ADWS, the traffic appears as standard Windows management activity, blending in with normal operations.

Verification:

You can monitor network traffic with Wireshark to see the SOAP requests to port 9389, confirming that no raw LDAP queries are sent.

5. Comparing Detection Footprints: LDAP vs ADWS

To understand why ADWS-based enumeration is stealthier, let’s compare the two approaches:

| Aspect | LDAP (ldapdomaindump) | ADWS (adwsdomaindump) |

|–|||

| Protocol | LDAP (TCP 389, 636) | SOAP/HTTP (TCP 9389, 9388 for HTTPS) |
| Traffic pattern | High-rate, raw binary queries | XML-based, similar to PowerShell remoting |
| Typical detection | EDR rules flagging high query rates, specific OIDs | Often allowed as legitimate admin traffic |
| Logging | Detailed in Windows event logs (Event ID 4662) | Logged in ADWS logs (less commonly monitored) |
| Tool example | ldapdomaindump, BloodHound collectors | adwsdomaindump, custom PowerShell scripts |

Key takeaway: ADWS traffic is less scrutinized because it is used by native Microsoft tools. However, this does not mean it is invisible—defenders can still detect anomalies if they monitor ADWS logs or correlate unusual access patterns.

6. Advanced Evasion Techniques and Considerations

Beyond simply using ADWS, attackers can further reduce their footprint:

  • Throttling queries: Add delays between requests to mimic human interaction.
  • Using legitimate credentials: The tool requires valid domain credentials; using compromised but low-privilege accounts may trigger fewer alerts.
  • Encrypting traffic: Use HTTPS for ADWS (if the DC supports it) to avoid plaintext inspection.
  • Combining with other protocols: Alternate between LDAP, ADWS, and PowerShell to spread reconnaissance across multiple channels.

Example of throttling with a custom script:

import time
 Inside adwsdomaindump, add a sleep between queries
time.sleep(random.uniform(1, 3))

This simple addition can make the enumeration appear more human-like and evade rate-based detection.

7. Mitigations for Defenders

To detect ADWS-based enumeration, defenders must broaden their monitoring scope:

  • Enable ADWS logging: Configure logging for ADWS events (Event ID 513 in the ADWS log).
  • Monitor for unusual ADWS queries: Look for patterns like high-frequency requests, enumeration of sensitive attributes (e.g., userPassword, unicodePwd), or queries from unexpected IPs.
  • Baseline normal ADWS traffic: Use machine learning to establish what typical ADWS traffic looks like in your environment.
  • Harden ADWS access: Restrict ADWS access to only necessary hosts and enforce strong authentication.
  • Combine with other telemetry: Correlate ADWS logs with authentication events, process creation, and network flows.

Example PowerShell command to query ADWS logs:

Get-WinEvent -LogName "Microsoft-Windows-ActiveDirectoryWebServices/Debug" | Where-Object { $_.Message -like "enumerate" }

This can help identify potential reconnaissance activities.

What Undercode Say:

The emergence of `adwsdomaindump` underscores a fundamental truth in cybersecurity: detection rules often lag behind attacker innovation. By simply switching protocols, attackers can bypass EDR solutions that focus heavily on LDAP traffic. This highlights the need for defenders to adopt a multi-layered monitoring approach that includes all administrative channels, not just the most obvious ones. Moreover, it emphasizes the importance of understanding native Windows protocols and how they can be abused. Organizations should treat ADWS as a high-value monitoring target and implement baselining to detect anomalies. Finally, the cat-and-mouse game continues—expect EDR vendors to soon update their rules to cover ADWS-based enumeration, leading to another round of evasion tactics.

Prediction:

In the coming months, we will see a surge in detection rules targeting ADWS activity, as well as the development of new evasion techniques that blend ADWS queries with legitimate administrative traffic. Additionally, Microsoft may introduce enhanced logging or telemetry for ADWS to aid defenders. Red teams will increasingly adopt hybrid enumeration strategies, rotating between protocols to stay under the radar. Ultimately, this arms race will drive innovation on both sides, making Active Directory security more dynamic and challenging.

▶️ Related Video (90% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mathijs Verschuuren – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky