SOC Prime Bias: Medium

04 Jul 2026 07:02 UTC

ADWS and the Hidden Path to Active Directory Enumeration

Author Photo
SOC Prime Team linkedin icon Follow
ADWS and the Hidden Path to Active Directory Enumeration
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

The article describes a stealthy method for Active Directory enumeration through the Active Directory Web Services (ADWS) protocol over TCP port 9389. By relying on ADWS instead of standard LDAP on ports 389 or 636, attackers can avoid many common network detections and EDR alerts. This approach abuses legitimate administrative protocols and tooling to disguise reconnaissance activity.

Investigation

The investigation examines the technical layers behind ADWS, including .NET Message Framing, NegotiateStream, and NBFSE binary SOAP encoding. It explains how these components improve operational security by obscuring network traffic and making the source of queries harder to identify. The author also introduces a proof-of-concept tool named ADWSHound to demonstrate and validate the technique.

Mitigation

Recommended mitigations include monitoring traffic over TCP port 9389, enabling Directory Service diagnostic logging with Event 1644, and applying access auditing through SACLs on sensitive directory objects. Organizations should also consider deploying canary objects to detect unauthorized enumeration. Correlating Directory Service events by Operation ID can further help reconstruct suspicious enumeration activity.

Response

If this behavior is detected, responders should investigate the origin of the connection to port 9389 and identify any process that lacks a legitimate reason to communicate over ADWS. The account used for the directory queries should then be correlated with active sessions across the environment to locate the compromised system. Event 4662 should also be reviewed for signs of unauthorized access to protected objects.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: An adversary has gained initial access to a workstation and is attempting to enumerate domain users to facilitate lateral movement. To avoid detection by basic signature-based tools, the attacker decides to use the official Microsoft PowerShell Active Directory module. They execute Get-ADUser to pull a list of all users in the domain. This action forces the Active Directory Web Services (ADWS) to process the LDAP query, which, due to diagnostic logging being enabled, generates a Windows Event 1644 containing the string “Get-ADUser”, thereby triggering our detection rule.

  • Regression Test Script:

      # Ensure the Active Directory module is available
      if (!(Get-Module -ListAvailable ActiveDirectory)) {
          Write-Error "This script requires the RSAT Active Directory module."
          return
      }
    
      Write-Host "[+] Starting Simulation: LDAP Enumeration via Get-ADUser" -ForegroundColor Cyan
    
      # Trigger the detection by querying a single user using the Get-AD* pattern
      # This is expected to generate Event ID 1644 in the Directory Service log
      try {
          Get-ADUser -Filter * -ResultSetSize 1 | Out-Null
          Write-Host "[+] Simulation command executed successfully." -ForegroundColor Green
          Write-Host "[+] Check Directory Service logs for Event ID 1644 containing 'Get-AD*'" -ForegroundColor Yellow
      }
      catch {
          Write-Host "[-] Error executing command: $($_.Exception.Message)" -ForegroundColor Red
      }
  • Cleanup Commands:

      # No permanent changes were made to the AD database.
      # If registry diagnostic levels were increased manually, revert them:
      # Set-ItemProperty -Path "HKLM:SystemCurrentControlSetServicesNTDSDiagnostics" -Name "16 LDAP Interface Contained" -Value 0
      Write-Host "[+] Cleanup complete. No state changes to revert." -ForegroundColor Cyan