ADWS and the Hidden Path to Active Directory Enumeration
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The article describes a stealthy method for Active Directory enumeration through the Active Directory Web Services (ADWS) protocol over TCP port 9389. By relying on ADWS instead of standard LDAP on ports 389 or 636, attackers can avoid many common network detections and EDR alerts. This approach abuses legitimate administrative protocols and tooling to disguise reconnaissance activity.
Investigation
The investigation examines the technical layers behind ADWS, including .NET Message Framing, NegotiateStream, and NBFSE binary SOAP encoding. It explains how these components improve operational security by obscuring network traffic and making the source of queries harder to identify. The author also introduces a proof-of-concept tool named ADWSHound to demonstrate and validate the technique.
Mitigation
Recommended mitigations include monitoring traffic over TCP port 9389, enabling Directory Service diagnostic logging with Event 1644, and applying access auditing through SACLs on sensitive directory objects. Organizations should also consider deploying canary objects to detect unauthorized enumeration. Correlating Directory Service events by Operation ID can further help reconstruct suspicious enumeration activity.
Response
If this behavior is detected, responders should investigate the origin of the connection to port 9389 and identify any process that lacks a legitimate reason to communicate over ADWS. The account used for the directory queries should then be correlated with active sessions across the environment to locate the compromised system. Event 4662 should also be reviewed for signs of unauthorized access to protected objects.
Attack Flow
Detections
Possible Active Directory Web Services (ADWS) Abuse for Account / Group / System Discovery (via network_connection)
View
Detect LDAP Queries via ADWS with PowerShell AD Module [Microsoft Windows Security Event Log]
View
ADWS Enumeration Detection via Network Indicators [Windows Sysmon]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An adversary has gained initial access to a workstation and is attempting to enumerate domain users to facilitate lateral movement. To avoid detection by basic signature-based tools, the attacker decides to use the official Microsoft PowerShell Active Directory module. They execute
Get-ADUserto pull a list of all users in the domain. This action forces the Active Directory Web Services (ADWS) to process the LDAP query, which, due to diagnostic logging being enabled, generates a Windows Event 1644 containing the string “Get-ADUser”, thereby triggering our detection rule. -
Regression Test Script:
# Ensure the Active Directory module is available if (!(Get-Module -ListAvailable ActiveDirectory)) { Write-Error "This script requires the RSAT Active Directory module." return } Write-Host "[+] Starting Simulation: LDAP Enumeration via Get-ADUser" -ForegroundColor Cyan # Trigger the detection by querying a single user using the Get-AD* pattern # This is expected to generate Event ID 1644 in the Directory Service log try { Get-ADUser -Filter * -ResultSetSize 1 | Out-Null Write-Host "[+] Simulation command executed successfully." -ForegroundColor Green Write-Host "[+] Check Directory Service logs for Event ID 1644 containing 'Get-AD*'" -ForegroundColor Yellow } catch { Write-Host "[-] Error executing command: $($_.Exception.Message)" -ForegroundColor Red } -
Cleanup Commands:
# No permanent changes were made to the AD database. # If registry diagnostic levels were increased manually, revert them: # Set-ItemProperty -Path "HKLM:SystemCurrentControlSetServicesNTDSDiagnostics" -Name "16 LDAP Interface Contained" -Value 0 Write-Host "[+] Cleanup complete. No state changes to revert." -ForegroundColor Cyan