Techniques
Sample rules
Network Traffic to Active Directory Web Services Protocol
- source: splunk
- technicques:
- T1087.002
- T1069.001
- T1482
- T1087.001
- T1087
- T1069.002
- T1069
Description
The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389.
Detection logic
| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `network_traffic_to_active_directory_web_services_protocol_filter`