ATP: workstation has a Domain Controller IP

%3CLINGO-SUB%20id%3D%22lingo-sub-643292%22%20slang%3D%22en-US%22%3EATP%3A%20workstation%20has%20a%20Domain%20Controller%20IP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-643292%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone!%3C%2FP%3E%3CP%3EToday%20I%20have%20received%20a%20High%20severity%20alert%20for%20Suspected%20DCSync%20attack.%20The%20origin%20of%20this%20attack%20was%20a%20workstation%20that%20ATP%20tell%20us%20that%20has%20it's%20right%20private%20IP%20and%20a%20secondary%20IP%2C%20the%20one%20of%20our%20DC%20that%20already%20has%20the%20sensor%20installed.%20How%20it%20can%20be%20possible%3F%20I've%20investigated%20on%20DNS%2C%20on%20AV%20client%20logs%2C%20and%20other%20auditing%20tools%20and%20everything%20looks%20ok.%20No%20evidences%20for%20any%20risk%20on%20this%20computer%20or%20secondary%20IP%20address%20assigned%20to%20this%20workstation.%20How%20it%20can%20be%20possible%3F%3C%2FP%3E%3CP%3EThank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-643615%22%20slang%3D%22en-US%22%3ERe%3A%20ATP%3A%20workstation%20has%20a%20Domain%20Controller%20IP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-643615%22%20slang%3D%22en-US%22%3EWe%20also%20had%20a%20false%20report%20of%20a%20suspected%20DCSync%20attack%20last%20week.%20At%20the%20bottom%20of%20the%20alert%20in%20the%20portal%2C%20it%20said%20%22computername%26gt%3B%20resolved%20from%20192.168.3.7%20with%20low%20certainty.%22%3CBR%20%2F%3E%3CBR%20%2F%3EThat%20IP%20address%20was%20actually%20one%20of%20our%20Domain%20Controllers.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hello everyone!

Today I have received a High severity alert for Suspected DCSync attack. The origin of this attack was a workstation that ATP tell us that has it's right private IP and a secondary IP, the one of our DC that already has the sensor installed. How it can be possible? I've investigated on DNS, on AV client logs, and other auditing tools and everything looks ok. No evidences for any risk on this computer or secondary IP address assigned to this workstation. How it can be possible?

Thank you.

1 Reply
We also had a false report of a suspected DCSync attack last week. At the bottom of the alert in the portal, it said "computername> resolved from 192.168.3.7 with low certainty."

That IP address was actually one of our Domain Controllers.