splApache-2.0from splunk/security_content
Network Traffic to Active Directory Web Services Protocol
The following analytic identifies network traffic directed to the Active Directory Web Services Protocol (ADWS) on port 9389. It leverages network traffic logs, focusing on source and destination IP addresses, application names, and destination ports. This activity is significant as ADWS is used to manage Active Directory, and unauthorized access could indicate malicious intent. If confirmed malicious, an attacker could manipulate Active Directory, potentially leading to privilege escalation, unauthorized access, or persistent control over the environment.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml
| tstats count FROM datamodel=Network_Traffic
WHERE All_Traffic.dest_port=9389
BY All_Traffic.action All_Traffic.app All_Traffic.dest
All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction
All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
All_Traffic.transport All_Traffic.user All_Traffic.vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `network_traffic_to_active_directory_web_services_protocol_filter`