P3 · Cyber Incident Response

PowerShell AD Enumeration via ADWS Bypasses LDAP-Based Detection Controls

PowerShell ActiveDirectory module cmdlets (e.g., Get-ADComputer, Get-ADUser) communicate with Domain Controllers over TCP port 9389 via Active Directory Web Services (ADWS) rather than raw LDAP (ports 389/636), creating a blind spot in detection systems that monitor only LDAP traffic. Threat actors can perform comprehensive AD enumeration without triggering standard LDAP-based alerts. Closing this gap requires enabling PowerShell Script Block Logging, adding SIEM/EDR detections for port 9389 activity, and restricting ADWS access to authorised management hosts.

Indicators

Full AD enumeration completed with no LDAP-based alerts firing
PowerShell AD module cmdlets (Get-ADComputer, Get-ADUser, Get-ADGroup) executed on a host
Network connections observed to TCP port 9389 (ADWS) on a Domain Controller
No corresponding LDAP traffic (port 389 or 636) detected during known enumeration activity
Unexpected or anomalous PowerShell activity originating from non-admin workstations
Event ID 4104 (Script Block Logging) entries referencing ActiveDirectory module cmdlets with no correlated LDAP security events
PowerShell module load events for the ActiveDirectory module appearing outside approved admin systems

Likely causes

PowerShell ActiveDirectory module communicates exclusively via ADWS (TCP port 9389) rather than raw LDAP, bypassing LDAP-focused detection
Detection tooling exclusively monitors LDAP ports (389/636) with no coverage of ADWS traffic on port 9389
ADWS wraps LDAP queries internally on the Domain Controller, making client-side traffic appear non-LDAP to monitoring tools
PowerShell Script Block Logging and Module Logging not enabled, leaving no audit trail of cmdlet execution
Absence of network-level monitoring or firewall rules for TCP port 9389 on Domain Controllers
No SIEM correlation rules linking PowerShell AD cmdlet usage to host identity and user context

Diagnostic steps

Review PowerShell Script Block Logs for ActiveDirectory cmdlet usage: open Event Viewer > Applications and Services Logs > Microsoft > Windows > PowerShell > Operational and filter for Event ID 4104. Search message text for 'Get-ADComputer', 'Get-ADUser', 'Get-ADGroup', or 'Import-Module ActiveDirectory'.
Inspect network connections to Domain Controllers on TCP port 9389 (ADWS). Run `netstat -ano | findstr :9389` on the DC or use EDR/network flow telemetry to identify source hosts making ADWS connections.
Correlate Windows Security Event ID 4624 (successful logon) timestamps on Domain Controllers with PowerShell activity timestamps to identify the account performing enumeration.
Verify whether PowerShell Module Logging (Event ID 4103) and Script Block Logging (Event ID 4104) are enabled via Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell. Enable both if absent.
Audit Domain Controller firewall logs or network flow data for unusual connection volumes to port 9389, particularly from non-admin workstations, non-server hosts, or hosts outside approved management subnets.
Confirm the ADWS service is running on Domain Controllers: `Get-Service -Name adws`. Cross-reference expected legitimate management hosts that should use this service against observed source IPs.
Search EDR or SIEM for process creation events where powershell.exe or pwsh.exe loads the ActiveDirectory module. Correlate source host, user account, and timing to identify anomalous enumeration patterns.
Run a controlled detection validation test: execute `Get-ADComputer -Filter *` from a test host and confirm whether SIEM/EDR alerts fire for ADWS traffic and PowerShell cmdlet execution. Document any gaps in coverage.

Resolution path

Enable PowerShell Script Block Logging (Event ID 4104) and Module Logging (Event ID 4103) via Group Policy across all endpoints: Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Add SIEM detection rules alerting on connections to TCP port 9389 on Domain Controllers originating from hosts outside the approved management host list
Create EDR/SIEM alerts for PowerShell ActiveDirectory module cmdlet execution (Get-ADComputer, Get-ADUser, Get-ADGroup) on non-admin or non-jump-host systems
Correlate ADWS network connections with user identity, source host, and timing context in SIEM to surface anomalous enumeration patterns
Restrict access to TCP port 9389 on Domain Controllers via Windows Firewall or network ACLs to authorised management hosts and jump servers only
Integrate ADWS-aware detections alongside existing LDAP monitoring to eliminate the blind spot — neither control alone is sufficient
Validate detection coverage by running controlled AD enumeration tests using PowerShell AD cmdlets from an approved test host and confirming alerts fire correctly across both LDAP and ADWS channels

Prevention

Enforce PowerShell Script Block Logging and Module Logging enterprise-wide via Group Policy; confirm deployment with a compliance report
Implement network segmentation and firewall rules restricting TCP port 9389 (ADWS) to authorised Privileged Access Workstations (PAWs) and jump hosts only
Deploy Just Enough Administration (JEA) to limit which accounts and hosts can execute AD PowerShell cmdlets
Monitor for and alert on ActiveDirectory PowerShell module loads (Import-Module ActiveDirectory) originating from non-standard or non-privileged hosts
Include TCP port 9389 in Domain Controller network baseline monitoring and anomaly detection alongside LDAP port coverage
Regularly audit and test detection coverage against both LDAP-based and ADWS-based enumeration techniques as part of purple team or detection validation exercises
Apply Privileged Access Workstation (PAW) controls to restrict AD management tooling to designated, hardened systems with full logging enabled

Tools

PowerShell Script Block Logging (Event ID 4104) — Microsoft-Windows-PowerShell/Operational
PowerShell Module Logging (Event ID 4103)
Windows Event Log — Security channel (Event ID 4624)
Network packet capture (Wireshark, tcpdump) targeting TCP port 9389
EDR telemetry — process creation and network connection events
SIEM correlation rules for ADWS traffic and PowerShell AD cmdlet execution
Netstat / network flow analysis tools
Group Policy Management Console (GPMC) — PowerShell logging policy configuration
Get-Service (PowerShell) — ADWS service validation on Domain Controllers

References

active-directoryADWSport-9389LDAPPowerShellAD-enumerationdetection-gapthreat-detectionGet-ADComputerGet-ADUserblue-teamSIEMEDRscript-block-loggingwindows-securitydomain-controller