Azure ATP read-only user hammering RDP and TCP35 ports

Question

Hi!Our Security scans showed that the user account used in Azure ATP as read-only account (Only domain user) is used to try RDP and TCP35 ports from domain controllers a lot.As the source is domain controllers, it is probably nothing because sensors are on DC:s but did not find any information about RDP and TCP 35 ports related to Azure ATP so could you specify what that port hammering could be?

tali ash · Answer

Hi Mtee-&nbsp;,
&nbsp;
Following Eli respond, you can read more about it:
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-nnr-policy
&nbsp;
Thanks,
Tali

eliofek · Answer

Mtee-&nbsp; This is normal, it's part of the name resolution process we do, we contact the endpoint via few methods to resolve the IP to&nbsp; its name.
This should be cached, so it should not hammer the same endpoint over and over within a short period of time...
&nbsp;
Just to be sure, the ports you have seen are RDP and 135 (NtlmRpc), not 35 right?
&nbsp;

Forum Discussion

Azure ATP read-only user hammering RDP and TCP35 ports

2 Replies