This detection rule aims to identify suspicious and uncommon network connections directed to Active Directory Web Services (ADWS), particularly focusing on connections initiated by processes that are not generally associated with legitimate ADWS management activities. The rule specifies the target protocol and port (TCP port 9389) used by ADWS and employs a selection strategy that captures any process initiating such a connection. To refine the detection and minimize false alarms, the rule incorporates filters to exclude commonly trusted applications such as 'dsac.exe', 'Microsoft Monitoring Agent', and legitimate PowerShell instances. If any connectivity is initiated from processes that do not match the filters, an alert is triggered. This tactic serves to highlight potential exploitation attempts or lateral movement within a network environment that may indicate a breach or unauthorized access attempt to Active Directory services.