Hunt for ADWS requests from unknown devices
Hunt ADWS Requests From Unknown Device
Query
let device_info = (
// Get device network info from last 7 days
DeviceNetworkInfo
| where Timestamp > ago(7d)
// Expand the IP Addresses of the devices
| mv-expand todynamic(IPAddresses)
| extend IPAddress = tostring(IPAddresses.IPAddress)
// Distinct IP address for each device
| distinct DeviceName, DeviceId, IPAddress
// Search for each device if it is onboarded or not
| join kind=inner (
DeviceInfo
| where Timestamp > ago(7d)
| distinct DeviceName, DeviceId, OnboardingStatus
// Get the first timestamp the device was seen
| join kind=inner (
DeviceInfo
| where Timestamp > ago(30d)
| summarize FirstSeen = arg_min(Timestamp, DeviceId) by DeviceId
) on DeviceId
| project-away DeviceId1, DeviceId2
) on DeviceId, DeviceName
| project-away DeviceName1, DeviceId1
);
// Get incomming traffic on ADWS port and save unique remote IP addresses
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where ActionType != "ListeningConnectionCreated"
| where InitiatingProcessFolderPath == @"c:\windows\adws\microsoft.activedirectory.webservices.exe"
| where LocalPort == "9389"
| summarize ConnectionTimes=make_list(Timestamp) by RemoteIP, DeviceName
// Get device information of remote IP addresses, results for IP we do not find information for are allowed
| join kind=leftouter device_info on $left.RemoteIP == $right.IPAddress
| project-away IPAddress
// Check if the remote IPs are onboarded devices or not
| where OnboardingStatus != "Onboarded"
// Make output better
| project DeviceName, ConnectionTimes, RemoteIP, RemoteDeviceName = DeviceName1, RemoteDeviceId = DeviceId, RemoteOnboardingStatus = OnboardingStatus, RemoteDeviceFirstSeen = FirstSeenAbout this query
Explanation
This query is designed to identify suspicious activity by detecting Active Directory Web Services (ADWS) requests coming from devices that are not recognized or managed within the network. Here's a simplified breakdown of what the query does:
-
Collect Device Information:
- It gathers network information from devices over the past 7 days, focusing on their IP addresses and onboarding status (whether they are managed by Microsoft Defender for Endpoint).
-
Identify ADWS Connections:
- It looks for incoming network traffic to domain controllers on the ADWS port (port 9389) over the past 30 days. This traffic is specifically from the ADWS process (
microsoft.activedirectory.webservices.exe).
- It looks for incoming network traffic to domain controllers on the ADWS port (port 9389) over the past 30 days. This traffic is specifically from the ADWS process (
-
Match IPs with Device Info:
- The query attempts to match the IP addresses from the ADWS connections with the collected device information to see if these IPs belong to known, managed devices.
-
Filter Unmanaged Devices:
- It filters out connections from devices that are not onboarded (i.e., not managed or recognized by the network's security tools).
-
Output Suspicious Connections:
- The final output lists the domain controllers receiving these connections, the times of the connections, and details about the remote devices (if available), highlighting those that are potentially suspicious because they are unmanaged.
In essence, this query helps security teams identify potential threats by flagging ADWS requests from unknown or unmanaged devices, which could indicate unauthorized attempts to access or enumerate Active Directory resources.
Details

Robbe Van den Daele
Released: March 6, 2025
Tables
DeviceNetworkInfoDeviceInfoDeviceNetworkEvents
Keywords
DeviceNetworkInfoEventsIPAddressesNameIdOnboardingStatusRemoteFirstSeenTimeGeneratedConnectionTimesActionTypeInitiatingProcessFolderPathLocalPort
Operators
let|where>agomv-expandtodynamicextendtostringdistinctjoinkind=innersummarizearg_minbyonproject-awaykind=leftouter==!=make_list=