Detection: Windows AD Replication Service Traffic

EXPERIMENTAL DETECTION

This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Description

The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise.

1
2| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app IN ("ms-dc-replication","*drsr*","ad drs") by All_Traffic.src All_Traffic.dest All_Traffic.app 
3| `security_content_ctime(firstTime)` 
4| `security_content_ctime(lastTime)` 
5| `drop_dm_object_name("All_Traffic")` 
6| `windows_ad_replication_service_traffic_filter`

Data Source

No data sources specified for this detection.

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_ad_replication_service_traffic_filter search *
windows_ad_replication_service_traffic_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1003 OS Credential Dumping Credential Access
T1003.006 DCSync Credential Access
T1207 Rogue Domain Controller Defense Evasion
KillChainPhase.EXPLOITAITON
NistCategory.DE_CM
Cis18Value.CIS_13
APT28
APT32
APT39
Axiom
Ember Bear
Leviathan
Poseidon Group
Sowbug
Suckfly
Tonto Team
Earth Lusca
LAPSUS$

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering.

Known False Positives

New domain controllers or certian scripts run by administrators.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
Active Directory Replication Traffic from Unknown Source - $src$ 100 100 100
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Not Applicable N/A N/A N/A
Unit ❌ Failing N/A N/A N/A
Integration ❌ Failing N/A N/A N/A

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 3