locked
ATA ALERT - Malicious replication requests RRS feed

  • Question

  • Hi Team,

    I have got an alert in my ATA console for Malicious replication requests.

    It states the "Malicious replication requests were successfully performed from IP against one of my DC".

    On Further investigation with my network team they informed this IP is assigned to a router.

    Can router replicate between DC's ? I'm sure not. If YES let me know if anyone else also encounter this issue.

    Or any other way to further investigate if it's assigned to Router now ?

    Regards,

    RAHUL

    Wednesday, April 11, 2018 2:27 PM

Answers

  • The detection is happening y analyzing the protocol used. 

    I am not aware of routers doing such things, but there are malware's that will, 

    thus the smart thing is to find and locate the real device that induced these calls and make sure they are legit.

    • Marked as answer by Rahul Benjamin Thursday, April 19, 2018 12:15 PM
    Wednesday, April 11, 2018 9:12 PM

All replies

  • Any chance this router is acting up also as a NAT device and masking whoever really initiated the replication requests?
    Wednesday, April 11, 2018 8:26 PM
  • I’ll check with my network teams for this router. In the meanwhile just need to be sure that these Malicious Replication alert can only be generated from Domain Controllers and Azure Ad connect server ? Other than these can there be any other source for replication alert. This cannot happen via any router correct me if wrong here ? Lastly Let me know how ATA detects or understand replication alerts.
    Wednesday, April 11, 2018 9:02 PM
  • The detection is happening y analyzing the protocol used. 

    I am not aware of routers doing such things, but there are malware's that will, 

    thus the smart thing is to find and locate the real device that induced these calls and make sure they are legit.

    • Marked as answer by Rahul Benjamin Thursday, April 19, 2018 12:15 PM
    Wednesday, April 11, 2018 9:12 PM
  • Router was having NAT/PAT configured. On further investigation we found out that it was one of DC which was replicating from that ip.

    Thursday, April 19, 2018 12:17 PM