Name:Windows AD Replication Service Traffic id:c6e24183-a5f4-4b2a-ad01-2eb456d09b67 version:3 date:2024-10-17 author:Steven Dick status:experimental type:TTP Description:The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise. Data_source:
search:| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN ("ms-dc-replication","*drsr*","ad drs") by All_Traffic.src All_Traffic.dest All_Traffic.app | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Traffic")` | `windows_ad_replication_service_traffic_filter`
how_to_implement:To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering. known_false_positives:New domain controllers or certian scripts run by administrators. References: -https://adsecurity.org/?p=1729 -https://attack.mitre.org/techniques/T1003/006/ -https://attack.mitre.org/techniques/T1207/ drilldown_searches:
: tags: analytic_story: - 'Sneaky Active Directory Persistence Tricks' asset_type:Endpoint confidence:100 impact:100 message:Active Directory Replication Traffic from Unknown Source - $src$ mitre_attack_id: - 'T1003' - 'T1003.006' - 'T1207' observable: name:'dest' type:'IP Address' - role: - 'Victim' name:'src' type:'IP Address' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - 'All_Traffic.src' - 'All_Traffic.dest' - 'All_Traffic.app' risk_score:100 security_domain:network
