Listen to this Post
Adversary tools used to enumerate Active Directory over ADWS (Active Directory Web Services) instead of using LDAP are becoming more popular, as they often evade detection by most monitoring tools. Detecting ADWS requests from unexpected binaries on the source device is possible, but if an unknown device connects to ADWS, these detections may fail. Instead of flagging all ADWS traffic, you can flag ADWS requests to your domain controllers coming from devices that are not Microsoft Defender for Endpoint (MDE) onboarded.
You Should Know:
Here are some practical commands and queries to help you detect and respond to ADWS requests from unknown devices:
1. KQL Query for ADWS Requests:
DeviceEvents | where ActionType == "NetworkConnectionInspected" | where RemoteUrl has "adws" | where DeviceId !in ((DeviceInfo | where OnboardingStatus == "Onboarded" | project DeviceId)) | project Timestamp, DeviceName, RemoteUrl, InitiatingProcessFileName
2. PowerShell Command to Check MDE Onboarding Status:
Get-MpComputerStatus | Select-Object -Property AMRunning, AntivirusEnabled, AntivirusSignatureLastUpdated
3. Linux Command to Monitor Network Connections:
sudo netstat -tuln | grep 9389
(Port 9389 is commonly used for ADWS.)
- Windows Command to List Active Directory Web Services:
sc query adws
5. Audit Active Directory Logs for Suspicious Activity:
Get-WinEvent -LogName "Security" | Where-Object { $<em>.Id -eq 4662 -and $</em>.Properties[8].Value -like "<em>adws</em>" }
6. Check for Unknown Devices in ADWS Logs:
Get-WinEvent -LogName "Directory Service" | Where-Object { $<em>.Id -eq 1644 -and $</em>.Message -like "<em>adws</em>" }
7. Block Unknown Devices via Firewall:
New-NetFirewallRule -DisplayName "Block ADWS from Unknown Devices" -Direction Inbound -Action Block -Protocol TCP -LocalPort 9389 -RemoteAddress 0.0.0.0/0
What Undercode Say:
Monitoring and securing ADWS traffic is critical in modern Active Directory environments. By leveraging KQL queries, PowerShell commands, and network monitoring tools, you can detect and block unauthorized ADWS requests. Regularly audit your domain controllers and ensure all devices are onboarded to MDE for comprehensive protection. For further reference, check the GitHub repository for advanced detection rules and queries. Stay vigilant and proactive in securing your Active Directory infrastructure.
References:
Reported By: Robbe Van – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅



