TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

The ADWS Architecture That Hides PowerShell AD Enumeration

2026-04-08 · Read original ↗

ATT&CK techniques detected

25 predictions
T1087.002Domain Account
98%
"ldap layer — focus on what the dc actually logs, not what powershell syntax looked like the rest of this blog post is how i built detections that actually work. adws architecture : how powershell really talks to ad the adws stack active directory web services isn ' t some simple …"
T1087.002Domain Account
98%
"- based reconnaissance. each part built on the last. each detection technique filled a gap. and now we have comprehensive coverage of active directory reconnaissance — from python tools hitting ldap over the network, to native powershell commands using adws internally. there ' s …"
T1087.002Domain Account
98%
"the adws architecture that hides powershell ad enumeration introduction : the detection that wasn ' t there i thought i had active directory reconnaissance covered. after four parts of this series, i had built detections for : - part 1 : oid transformation - how impacket ' s ldap…"
T1059.001PowerShell
97%
"names. everything. the command was sitting right there in the powershell logs : get - adcomputer - filter { enabled - eq $ true } - properties * none of my detections fired. the attacker pulled 500 + computer objects with full properties and security descriptors, and walked away …"
T1087.002Domain Account
96%
"1644 in isolation. the [ all _ with _ list ] indicator the attribute selection field showed : [ all _ with _ list ] name, objectclass, objectguid, samaccountname, dnshostname,... that [ all _ with _ list ] prefix is unique to powershell ' s - properties * parameter. you should no…"
T1482Domain Trust Discovery
93%
"##hell client side ( wakanda - wrkstn ) : get - adcomputer - filter { enabled - eq $ true } - properties * # case obfuscation doesn ' t matter - powershell is case - insensitive domain controller - adws service ( earth - dc ) : - receives encrypted soap / xml request on port 9389…"
T1482Domain Trust Discovery
90%
"from the client workstation, i ran : ps c : \ > get - adcomputer - filter * - properties * what the network saw 1, 113 packets of tls - encrypted soap / xml on port 9389. no ldap filter visible. no attributes visible. network detection : blind. what event 1644 saw log name : dire…"
T1069.002Domain Groups
84%
"case obfuscation : get - adcomputer instead of get - adcomputer - goal : evade powershell command - line logging detections - target : edr solutions looking for exact string matches - result : successfully evaded endpoint detection filter logic : { enabled - eq $ true } - goal : …"
T1087.002Domain Account
73%
"##s 1138, 1139, 1166, 1167, and 1644 - understanding adws architecture - how powershell really talks to ad this blog post is the result of that investigation. it ' s not theoretical ; it ' s lessons learned from real detection failure, real log analysis, and real testing in my ma…"
T1654Log Enumeration
69%
"with remote adws connections ( events 1138 / 1139 ) is the tell. legitimate applications don ' t generate this pattern. attackers enumerating with powershell do. the five - event correlation pattern each event contributes a piece of the puzzle : the correlation key : all events s…"
T1087.002Domain Account
67%
"case obfuscation : get - adcomputer instead of get - adcomputer - goal : evade powershell command - line logging detections - target : edr solutions looking for exact string matches - result : successfully evaded endpoint detection filter logic : { enabled - eq $ true } - goal : …"
T1482Domain Trust Discovery
61%
"- based ldap detection misses powershell enumeration entirely. the ldap queries happen inside the domain controller - they never touch the network. the localhost problem here ' s the critical architectural detail that makes adws detection possible : when adws queries active direc…"
T1482Domain Trust Discovery
61%
"##s 1138, 1139, 1166, 1167, and 1644 - understanding adws architecture - how powershell really talks to ad this blog post is the result of that investigation. it ' s not theoretical ; it ' s lessons learned from real detection failure, real log analysis, and real testing in my ma…"
T1059.001PowerShell
60%
": - bit 1 ( 0x1 ) : owner _ security _ information - bit 2 ( 0x2 ) : group _ security _ information - bit 3 ( 0x4 ) : dacl _ security _ information the attacker requested full security descriptors - who owns each computer object and who has permissions on them. this is classic pr…"
T1087.002Domain Account
59%
"##hell client side ( wakanda - wrkstn ) : get - adcomputer - filter { enabled - eq $ true } - properties * # case obfuscation doesn ' t matter - powershell is case - insensitive domain controller - adws service ( earth - dc ) : - receives encrypted soap / xml request on port 9389…"
T1087.002Domain Account
57%
"- based ldap detection misses powershell enumeration entirely. the ldap queries happen inside the domain controller - they never touch the network. the localhost problem here ' s the critical architectural detail that makes adws detection possible : when adws queries active direc…"
T1087.002Domain Account
55%
"##hell command - line logging, script block logging patterns, and string - matching security tools. but it was irrelevant. powershell is case - insensitive, and by the time the query reaches the domain controller, it ' s translated to standard ldap : powershell : get - adcomputer…"
T1059.001PowerShell
51%
"##hell command - line logging, script block logging patterns, and string - matching security tools. but it was irrelevant. powershell is case - insensitive, and by the time the query reaches the domain controller, it ' s translated to standard ldap : powershell : get - adcomputer…"
T1087.002Domain Account
51%
"1139 by operation id = high - fidelity detection. - the [ all _ with _ list ] prefix only appears with - properties *. it ' s a clear indicator of bulk enumeration, not a targeted admin query. - network detection misses powershell completely : the wireshark capture shows encrypte…"
T1557.001Name Resolution Poisoning and SMB Relay
42%
"built? why detection failed : the adws blind spot to fix my detection gap, i needed to understand exactly how powershell talks to active directory and why it ' s invisible to traditional ldap detection. here ' s what i learned the hard way : powershell doesn ' t use ldap over the…"
T1087.002Domain Account
40%
"from the client workstation, i ran : ps c : \ > get - adcomputer - filter * - properties * what the network saw 1, 113 packets of tls - encrypted soap / xml on port 9389. no ldap filter visible. no attributes visible. network detection : blind. what event 1644 saw log name : dire…"
T1087.002Domain Account
40%
"127. 0. 0. 1 ) on the domain controller. the original client ip is logged in adws - specific events ( 1138 / 1139 ), but the actual ldap query ( event 1644 ) shows localhost. this creates three detection problems : - network ldap sensors are blind - the query never touches port 3…"
T1087.003Email Account
39%
"127. 0. 0. 1 ) on the domain controller. the original client ip is logged in adws - specific events ( 1138 / 1139 ), but the actual ldap query ( event 1644 ) shows localhost. this creates three detection problems : - network ldap sensors are blind - the query never touches port 3…"
T1087.002Domain Account
38%
"- adcomputer ) : 1138 start : marvel \ loki, [ : : 1 ] : 57132, ldap _ search 1644 details : filter, attributes, 3 entries, 16ms 1166 stats : per - object timing 1167 indexes : idx _ objectcategory : 3 : n 1139 complete : status 0 all five events linked by operation id. that ' s …"
T1087.002Domain Account
33%
": - bit 1 ( 0x1 ) : owner _ security _ information - bit 2 ( 0x2 ) : group _ security _ information - bit 3 ( 0x4 ) : dacl _ security _ information the attacker requested full security descriptors - who owns each computer object and who has permissions on them. this is classic pr…"

Summary

A threat actor enumerated our entire AD with Get-ADComputer, and none of our detections fired. The problem wasn't their evasion - it was an architectural blind spot in how PowerShell talks to Active Directory.