adws is used by a number of legitimate applications that need to interact with active directory. these applications should be added to the allow-listing to avoid false positives.

t1087
windows
sigma

Techniques

t1087

Sample rules

Uncommon Connection to Active Directory Web Services

source: sigma
technicques:
- t1087

Description

Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_dsac:
  Image: C:\Windows\system32\dsac.exe
filter_main_ms_monitoring_agent:
  Image: C:\Program Files\Microsoft Monitoring Agent\
filter_main_powershell:
  Image|startswith:
  - C:\Program Files\PowerShell\7\pwsh.exe
  - C:\Program Files\PowerShell\7-preview\pwsh.ex
  - C:\Windows\System32\WindowsPowerShell\
  - C:\Windows\SysWOW64\WindowsPowerShell\
selection:
  DestinationPort: 9389
  Initiated: true