SoaPy: A New Tool for Stealthy Active Directory Enumeration via ADWS

IBM X-Force Research has introduced SoaPy, a new Python-based tool designed for stealthy Active Directory (AD) enumeration using Active Directory Web Services (ADWS). The tool enhances security professionals’ ability to interact with AD from Linux hosts, overcoming previous Windows-only limitations. However, its capabilities also highlight potential attack vectors that defenders need to address.

Active Directory (AD) has been a prime target for attackers seeking to gather intelligence on corporate environments. Traditionally, Lightweight Directory Access Protocol (LDAP) has been the primary method for AD enumeration, but its activity is increasingly flagged by modern security solutions.

According to IBM X-Force researchers, “FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments” by leveraging ADWS instead of LDAP. This insight led IBM’s researchers to develop SoaPy, further expanding Active Directory interaction through ADWS from Linux environments.

ADWS is enabled by default on Active Directory Domain Controllers (DCs) via port 9389 and facilitates communication through Simple Object Access Protocol (SOAP) messages. This allows users to query and modify LDAP objects without direct LDAP access.

IBM X-Force explains: “As connections are passed from the local ADWS service to LDAP, any interactions done using this mechanism are displayed as the local domain controller connecting to itself within Windows Event Logs.” This means traditional monitoring techniques may fail to detect external reconnaissance activity.

Before SoaPy’s development, ADWS was primarily accessed via Microsoft-built tools, limiting interaction to Windows-based environments. IBM’s security team sought to bridge this gap by creating a portable Python library that would allow security professionals to interact with ADWS from Linux hosts.

“The relative lack of documentation on these protocols further complicated matters and resulted in us reverse engineering them both through source code analysis and examination of packet captures,” IBM’s researchers revealed.

To make SoaPy functional, IBM’s team implemented multiple obscure Microsoft protocols, including:

NNS (.NET NegotiateStream Protocol)
NMF (.NET Message Framing Protocol)
NBFSE (.NET Binary Format: SOAP Extension)

The development process took several months, culminating in a tool that enables stealthy AD reconnaissance and privilege escalation tactics.

SoaPy offers a range of Active Directory reconnaissance capabilities, including:

Enumerating service accounts (with the --spns flag)
Identifying accounts configured for constrained/unconstrained delegation
Exploiting Resource-Based Constrained Delegation (RBCD)

IBM X-Force warns that although the client is not directly interacting with the LDAP service, malicious indicators are still passed to the LDAP service from ADWS. This means that while ADWS enumeration appears less conspicuous, it still leaves traces that defenders can detect if they know what to look for.

Defenders can counter SoaPy and similar ADWS enumeration tools using the following techniques:

Enable LDAP logging to track suspicious queries.
Monitor Windows Event Logs for unexpected activity originating from domain controllers.
Implement System Access Control List (SACL) canaries to detect unauthorized object access.
Correlate user account activity with network traffic to pinpoint suspicious enumeration sources.

Despite SoaPy’s stealth advantages, IBM researchers emphasize that traditional LDAP reconnaissance detections remain effective. Security teams should adjust their monitoring techniques to account for the nuances of ADWS-based enumeration.

For a detailed breakdown of SoaPy’s capabilities and defensive strategies, visit IBM X-Force Research’s official GitHub repository: SoaPy on GitHub.

Rate this post

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply