false positives should be limited as the destination port is specific to active directory web services protocol, however we recommend utilizing this analytic to hunt for non-standard processes querying the adws port. filter by app or dest_ip to ad servers and remove known proceses querying adws.

t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
network
splunk

Techniques

T1069
T1069.001
T1069.002
T1087
T1087.001
T1087.002
T1482

Sample rules

Network Traffic to Active Directory Web Services Protocol

source: splunk
technicques:
- T1087.002
- T1069.001
- T1482
- T1087.001
- T1087
- T1069.002
- T1069

Description

The following analytic identifies network traffic to Active Directory Web Services Protocol. This protocol is used to manage Active Directory. The analytic is meant to be tuned and filtered to the specific environment. It will assist defenders in identifying suspicious processes accessing port 9389.

Detection logic


| tstats count from datamodel=Network_Traffic where All_Traffic.dest_port=9389 by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.user, All_Traffic.dest_port 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name("All_Traffic")` 
| `network_traffic_to_active_directory_web_services_protocol_filter`