cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ATP: workstation has a Domain Controller IP

Blue_Trooper18
Copper Contributor

‎May 24 2019 02:15 AM

‎May 24 2019 02:15 AM

ATP: workstation has a Domain Controller IP

Hello everyone!

Today I have received a High severity alert for Suspected DCSync attack. The origin of this attack was a workstation that ATP tell us that has it's right private IP and a secondary IP, the one of our DC that already has the sensor installed. How it can be possible? I've investigated on DNS, on AV client logs, and other auditing tools and everything looks ok. No evidences for any risk on this computer or secondary IP address assigned to this workstation. How it can be possible?

Thank you.

893 Views
0 Likes
1 Reply
Reply
1 Reply
Joe Stern

‎May 24 2019 05:22 AM

‎May 24 2019 05:22 AM

Re: ATP: workstation has a Domain Controller IP

We also had a false report of a suspected DCSync attack last week. At the bottom of the alert in the portal, it said "computername> resolved from 192.168.3.7 with low certainty."

That IP address was actually one of our Domain Controllers.
0 Likes
Reply