← Back to Explore
splunk_escuTTP
Windows AD Replication Service Traffic
The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise.
Detection Query
| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime FROM datamodel=Network_Traffic
WHERE All_Traffic.app IN ("ms-dc-replication","*drsr*","ad drs")
BY All_Traffic.src All_Traffic.dest All_Traffic.app
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `windows_ad_replication_service_traffic_filter`Author
Steven Dick
Created
2026-03-10
References
Tags
Sneaky Active Directory Persistence Tricks
Raw Content
name: Windows AD Replication Service Traffic
id: c6e24183-a5f4-4b2a-ad01-2eb456d09b67
version: 8
date: '2026-03-10'
author: Steven Dick
type: TTP
status: experimental
data_source: []
description: The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise.
search: |-
| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime FROM datamodel=Network_Traffic
WHERE All_Traffic.app IN ("ms-dc-replication","*drsr*","ad drs")
BY All_Traffic.src All_Traffic.dest All_Traffic.app
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `windows_ad_replication_service_traffic_filter`
how_to_implement: To successfully implement this search, you need to be ingesting application aware firewall or proxy logs into the Network Datamodel. Categorize all known domain controller Assets servers with an appropriate category for filtering.
known_false_positives: New domain controllers or certian scripts run by administrators.
references:
- https://adsecurity.org/?p=1729
- https://attack.mitre.org/techniques/T1003/006/
- https://attack.mitre.org/techniques/T1207/
rba:
message: Active Directory Replication Traffic from Unknown Source - $src$
risk_objects:
- field: dest
type: system
score: 50
threat_objects:
- field: src
type: ip_address
tags:
analytic_story:
- Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
mitre_attack_id:
- T1003.006
- T1207
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network