Forum Discussion
NTLM over RDP
Microsoftjbchris , It's not actually doing a full NTLM RDP session.
it only sends the first payload as a matter of name resolution.
This is one of the methods we use to resolve an IP to a machine name...
When we send the first payload, the target machine sends back interesting info on its identity, then we break the connection.
Few other customers also mistakenly thought AATP actually opens an RDP session or authenticating via NTLM over RDP, but it is not...
Thanks, Eli,
What are the implications are the customer does not want to open that port on the firewall? Are there other ways to connect to the ATP endpoint besides using the internet? Maybe VPN?
- EliOfek
jbchris , Not sure I follow.
This connection is initiated from the sensor (usually installed on the DC) to the endpoint in the network that contacted the DC. in most cases Internet is not involved...
In rare cases where the DC is opened to the internet (usually a bad idea) , then if a machine from the internet tried to contact the DC, we will try to "ping" it back via several methods to collect info about it.Now, In case the customer blocked RDP ports on all the endpoints in the network, the sensor will still work, but might get hit to some degree in resolution success which my impact detection and false positives. How much? it depends on how well the other methods we use work well in your network...
we use several as we are aware that networks can be different, and also endpoints, so when we have several ways, we increase the chances of getting a successful resolution.Let me see if I can ask the question a better way: (Forgive me if I am missing something)
The customer domain is behind a firewall. ATP is in the cloud. The ATP Agents, either DC's or Standalone, need to communicate with ATP in the cloud.
How do the event and logs get to the ATP cloud service to analysis? Azure AD Connect? Is there documentation that explains this for me?
Thanks
