Forum Discussion

archedmeerkat's avatar
archedmeerkat
Copper Contributor
Jun 21, 2019

Azure ATP connection closed errors

I am seeing the following error in the Azure ATP Sensor logs in my environment when running net group "Domain Admins" /domain from member workstations. I do not see the correlated event of a user que...
  • EliOfek's avatar
    EliOfek
    Aug 15, 2019

    archedmeerkat 

    Engineering has researched the sampled capture ans managed to reproduce the issue.
    Sadly, this is not an easy fix, it's a specific traffic/rare traffic on top of SMB1 we were not aware of before and currently cannot parse.
    We have opened a bug for it.
    It is planned but in low priority for now as telemetry shows it happens rarely.
    We will update once we get it resolved so the fix can be verified.
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft

archedmeerkat Hi, I am on-boarding internally the engineer who wrote most of the code for parsing this protocol...

For now I don't think raising  the trace log will produce meaningful results.

 

But something that might help is if you are able to use netmon 3.4 to capture a cap file trace of this specific traffic (recording while we have at least one incident like this in the log)

in which case we can use it to repro the problem in our lab which will speed up the research considerably... 

 

archedmeerkat's avatar
archedmeerkat
Copper Contributor
Jul 05, 2019

EliOfek- Can I use built in netsh commands to run the trace or will it have to be with netmon 3.4.

 

Do you want both ends or just from the AATP Sensor?

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Jul 07, 2019

    archedmeerkat 

    netmon is preferred. if there is no such option, we can try to work with netsh, but it will take more time.

    we need to capture the traffic on the DC.

     

    Also, it's interesting if you can get us a capture while invoking this command against the captured DC:

     

    net group "Domain Admins" /domain

    It seems you have some SMB1 traffic there, which is not very common these days, so we want to make sure our parser is not missing anything from this protocol which we don't get a lot any more.

     

    Eli

     

    • archedmeerkat's avatar
      archedmeerkat
      Copper Contributor
      Jul 17, 2019

      EliOfek- I have the capture with net mon. Is there anywhere I can securely upload this or share it with you?

      • EliOfek's avatar
        EliOfek
        Icon for Microsoft rankMicrosoft
        Jul 17, 2019

        archedmeerkat , The best option is to open a support case and give me the case #.

        I will ask the assigned engineer to open a secured workspace for you where we can exchange files,

        And also to add me to the case thread so I can help and add PG members as needed.

         

Share

Resources