Azure ATP read-only user hammering RDP and TCP35 ports

%3CLINGO-SUB%20id%3D%22lingo-sub-846540%22%20slang%3D%22en-US%22%3EAzure%20ATP%20read-only%20user%20hammering%20RDP%20and%20TCP35%20ports%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-846540%22%20slang%3D%22en-US%22%3E%3CP%3EHi!%3CBR%20%2F%3E%3CBR%20%2F%3EOur%20Security%20scans%20showed%20that%20the%20user%20account%20used%20in%20Azure%20ATP%20as%20read-only%20account%20(Only%20domain%20user)%20is%20used%20to%20try%20RDP%20and%20TCP35%20ports%20from%20domain%20controllers%20a%20lot.%3C%2FP%3E%3CP%3EAs%20the%20source%20is%20domain%20controllers%2C%20it%20is%20probably%20nothing%20because%20sensors%20are%20on%20DC%3As%20but%20did%20not%20find%20any%20information%20about%20RDP%20and%20TCP%2035%20ports%20related%20to%20Azure%20ATP%20so%20could%20you%20specify%20what%20that%20port%20hammering%20could%20be%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-846606%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20read-only%20user%20hammering%20RDP%20and%20TCP35%20ports%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-846606%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F274612%22%20target%3D%22_blank%22%3E%40Mtee-%3C%2FA%3E%26nbsp%3B%20This%20is%20normal%2C%20it's%20part%20of%20the%20name%20resolution%20process%20we%20do%2C%20we%20contact%20the%20endpoint%20via%20few%20methods%20to%20resolve%20the%20IP%20to%26nbsp%3B%20its%20name.%3C%2FP%3E%0A%3CP%3EThis%20should%20be%20cached%2C%20so%20it%20should%20not%20hammer%20the%20same%20endpoint%20over%20and%20over%20within%20a%20short%20period%20of%20time...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJust%20to%20be%20sure%2C%20the%20ports%20you%20have%20seen%20are%20RDP%20and%20%3CSTRONG%3E1%3C%2FSTRONG%3E35%20(NtlmRpc)%2C%20not%2035%20right%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-856712%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20read-only%20user%20hammering%20RDP%20and%20TCP35%20ports%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-856712%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F274612%22%20target%3D%22_blank%22%3E%40Mtee-%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFollowing%20Eli%20respond%2C%20you%20can%20read%20more%20about%20it%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-nnr-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-nnr-policy%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3ETali%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi!

Our Security scans showed that the user account used in Azure ATP as read-only account (Only domain user) is used to try RDP and TCP35 ports from domain controllers a lot.

As the source is domain controllers, it is probably nothing because sensors are on DC:s but did not find any information about RDP and TCP 35 ports related to Azure ATP so could you specify what that port hammering could be?

2 Replies

@Mtee-  This is normal, it's part of the name resolution process we do, we contact the endpoint via few methods to resolve the IP to  its name.

This should be cached, so it should not hammer the same endpoint over and over within a short period of time...

 

Just to be sure, the ports you have seen are RDP and 135 (NtlmRpc), not 35 right?

 

Hi @Mtee- ,

 

Following Eli respond, you can read more about it:

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-nnr-policy

 

Thanks,

Tali