The ADWS Architecture That Hides PowerShell AD Enumeration

This post documents a real detection gap where PowerShell-based Active Directory enumeration via ADWS (port 9389) bypassed existing LDAP/network detections by causing LDAP queries to run as localhost on the domain controller. It demonstrates that correlating ADWS connection/authentication events (1138/1139) with LDAP query details (1644) and per-object/index events (1166/1167) using a shared Operation/InstanceId — and watching for indicators like the [all_with_list] properties prefix and SDflags:0x7 — provides high-fidelity detection of PowerShell AD reconnaissance.