{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/active-directory-web-service/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory Web Service"],"_cs_severities":["medium"],"_cs_tags":["active-directory","enumeration","adws","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) over a network, providing a web-based interface for directory services. Adversaries may exploit ADWS to enumerate network resources and user accounts, gaining insights into the environment. This attack involves loading Active Directory related modules and establishing network connections to the ADWS dedicated TCP port 9389. The goal is to gather information about the domain, user accounts, and permissions, which can be used for lateral movement, privilege escalation, and data exfiltration. Detection focuses on identifying suspicious processes loading \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e or \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e and then connecting to the ADWS port.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a reconnaissance tool or script (e.g., PowerShell) on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe reconnaissance tool loads Active Directory related modules such as \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e and \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe reconnaissance tool attempts to establish a network connection to the ADWS service on TCP port 9389, the dedicated port for ADWS.\u003c/li\u003e\n\u003cli\u003eThe tool queries ADWS to retrieve information about domain users (T1087.002), groups (T1069.002), systems (T1018), and permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify privileged accounts and potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered information to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain detailed knowledge of the Active Directory environment. This information can be used to identify high-value targets, compromise privileged accounts, move laterally within the network, and ultimately achieve their objectives, which could include data theft, ransomware deployment, or disruption of services. The impact can range from data breaches to complete compromise of the Active Directory domain, depending on the attacker\u0026rsquo;s goals and the level of access they achieve.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADWS Enumeration via Suspicious Library Loading\u0026rdquo; to detect processes loading AD-related DLLs (e.g., \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e, \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADWS Enumeration via Network Connection\u0026rdquo; to monitor for network connections to destination port 9389 from unusual processes.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate administrative tools or scripts that load Active Directory-related modules and connect to the ADWS port as described in the \u0026ldquo;False positive analysis\u0026rdquo; section of the original rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit access to the ADWS port (9389) to only trusted systems and users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T00:00:00Z","date_published":"2024-01-31T00:00:00Z","id":"/briefs/2024-01-adws-enumeration/","summary":"Adversaries may abuse the Active Directory Web Service (ADWS) to enumerate network resources and user accounts, by loading AD-related modules followed by a network connection to the ADWS dedicated TCP port.","title":"Potential Enumeration via Active Directory Web Service","url":"https://feed.craftedsignal.io/briefs/2024-01-adws-enumeration/"}],"language":"en","title":"CraftedSignal Threat Feed — Active Directory Web Service","version":"https://jsonfeed.org/version/1.1"}