TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

The 60ms Window: How Event 5156 Solves the ADWS Attribution Problem

2026-04-09 · Read original ↗

ATT&CK techniques detected

4 predictions
T1087.002Domain Account
69%
“log. but his conclusion that the originating host “ cannot be determined ” doesn ’ t hold for siem - based detection. the data has been there all along in most enterprise environments. timestamp correlation works even when port - based correlation doesn ’ t. and pattern detection…”
T1087.002Domain Account
50%
“lol but the name of the game when performing stealthy collection of any type is all about using constrained and unique queries. specifically doing collection through adws has a large number of opsec benefits which depending on how detections are written can completely bypass some…”
T1482Domain Trust Discovery
31%
“lol but the name of the game when performing stealthy collection of any type is all about using constrained and unique queries. specifically doing collection through adws has a large number of opsec benefits which depending on how detections are written can completely bypass some…”
T1087.002Domain Account
31%
“ldap queries back to their source ip, catching marvel \ loki mid - bloodhound enumeration. source ip 10. 1. 1. 13 correctly attributed to all three queries. the real - time monitor mode catches it as it happens : figure 5 : three events. one attacker. event 5156 tells you who con…”

Summary

Event 1644 shows localhost, hiding the attacker's real IP. By correlating Event 5156 with a ~60-80ms timing window, you can attribute ADWS queries to their actual source—and the data was already in your SIEM.