Azure ATP Sensor tries to connect to public IPs

%3CLINGO-SUB%20id%3D%22lingo-sub-793184%22%20slang%3D%22en-US%22%3EAzure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793184%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20installing%20Azure%20ATP%20Sensor%20on%20a%20domain%20controller%20for%20testing%2C%20I%20see%20a%20number%20of%20failed%20connection%20attempt%20to%20external%20IPs%20(specifically%20our%20public%20DNS%20IPs)%20on%20ports%203389%2C%20135%2C%20137%20from%20that%20domain%20controller.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3ETicket%23%20119080724001601%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-793487%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793487%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355862%22%20target%3D%22_blank%22%3E%40gd-29%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20expected%20communication%20and%20is%20part%20of%20the%20NNR%20process%20AATP%20uses%20to%20resolve%20the%20IP%20address%20in%20the%20network%20traffic%20to%20a%20computer%20name.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-prerequisites%23ports%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-prerequisites%23ports%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-nnr-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-nnr-policy%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%3C%2FP%3E%3CP%3EGershon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-793518%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793518%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45656%22%20target%3D%22_blank%22%3E%40Gerson%20Levitz%3C%2FA%3E%26nbsp%3Bthis%20makes%20sense%20for%20private%20IPs%2C%20i%20don't%20see%20why%20it%20would%20try%20to%20connect%20public%20IPs.%20that%20also%20generates%20a%20lot%20of%20noise%20on%20our%20firewalls%20%2F%20SIEM.%20it%20would%20be%20ideal%20to%20be%20able%20to%20select%20the%20IP%20ranges%20that%20i%20would%20want%20the%20agent%20to%20interrogate%20for%20this%20additional%20info.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-793544%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793544%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355862%22%20target%3D%22_blank%22%3E%40gd-29%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20have%20a%20domain%20controller%20with%20the%20sensor%20installed%20that%20have%20public%20IP%20addresses%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-793555%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-793555%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45656%22%20target%3D%22_blank%22%3E%40Gerson%20Levitz%3C%2FA%3E%26nbsp%3Bno.%20But%20after%20the%20agent%20installation%20i%20see%20these%20connection%20attempts%20to%20our%20public%20dns%20provider%20(configured%20on%20our%20domain%20controller%20dns%20for%20dns%20forwarding).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-794445%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-794445%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355862%22%20target%3D%22_blank%22%3E%40gd-29%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20that%20the%20public%20DNS%20server%20is%20communicating%20to%20the%20domain%20controller%20for%20some%20reason%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20described%20in%20the%20articles%20I%20previously%20linked%20to%2C%20the%20Sensor%20will%20attempt%20to%20communicate%20on%20these%20ports%20after%20it%20sees%20traffic%20from%20an%20IP%20address%20in%20the%20traffic%20of%20the%20domain%20controller.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-800213%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-800213%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45656%22%20target%3D%22_blank%22%3E%40Gerson%20Levitz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esupport%20provided%20this%20doc%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-nnr-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-nnr-policy%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20i%20still%20think%20this%20is%20a%20noisy%20behavior.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20it%20possible%20that%20the%20public%20DNS%20server%20is%20communicating%20to%20the%20domain%20controller%20for%20some%20reason%3F%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E--%20the%20public%20DNS%20server%20is%20replying%20for%20the%20forwarded%26nbsp%3B%20public%20DNS%20lookup.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3Ebeing%20that%20the%20agent%20is%20sized%20based%20on%20packets%2Fsec%2C%20i%20would%20assume%20any%20noisy%20traffic%20wouldn't%20help.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-811437%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-811437%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45656%22%20target%3D%22_blank%22%3E%40Gerson%20Levitz%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20NNR%20done%20on%20the%20packet%20source%3F%20Or%20some%20value%20within%20the%20kerberos%20or%20NTLM%20or%20other%20auth%20mechanism%3F%20Or%20is%20there%20a%20combination%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20had%20an%20issue%20where%20AATP%20resolved%20a%20system%20at%20a%20users%20home%20to%20an%20errant%20static%20IP%20that%20was%20set%20within%20the%20environment.%20Here%20is%20what%20we%20saw%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EComputer1%20at%20user's%20home%20has%20nic%20with%20IP%201.1.1.1.%3C%2FLI%3E%3CLI%3EUser%20connects%20to%20VPN.%20Computer1%20at%20user's%20home%20has%20VPN%20connection%20with%20IP%202.2.2.2.%3C%2FLI%3E%3CLI%3EThere%20exists%20a%20reverse%20lookup%20for%201.1.1.1%20in%20the%20internal%20Active%20Directory%20DNS%20environment%20that%20points%20to%20Computer2%2C%20that%20still%20exists%20in%20Active%20Directory%2C%20though%20is%20not%20in%20use.%3C%2FLI%3E%3CLI%3EUser%20access%20a%20cifs%20resource%20through%20VPN%20tunnel%20on%20Computer1.%3C%2FLI%3E%3CLI%3EAzure%20ATP%20resolves%20the%20source%20for%20the%20accessing%20of%20the%20cifs%20resource%20to%20Computer2%20using%20a%20DNS%20lookup%20on%201.1.1.1.%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWorth%20noting%20that%20Computer1%20was%20OSX%20and%20I'm%20still%20not%20fully%20sure%20on%20the%20application(s)%20running%20that%20integrate%20with%20AD%20or%20if%20it%20had%20been%20%22joined%22%20to%20active%20directory.%20Also%2C%202.2.2.2%20did%20not%20resolve%2C%20though%20I%20did%20not%20check%20to%20see%20if%20there%20was%20a%20lookup%20for%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20trying%20to%20see%20if%20implementation%20of%20authentication%20mechanisms%20can%20affect%20name%20resolution%20or%20if%20it's%20all%20coming%20from%20lower%20level%20networking%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-811899%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-811899%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344092%22%20target%3D%22_blank%22%3E%40archedmeerkat%3C%2FA%3E%26nbsp%3B%2C%20For%20this%20reason%20(among%20others)%20DNS%20based%20resolution%20is%20only%20a%20fallback%2C%20and%20even%20than%20it's%20considered%20in%20the%20system%20as%20%22low%20certainty%22.%3C%2FP%3E%0A%3CP%3EWe%20probably%20tried%20using%20netbios%20%2C%20NtlmRPC%20%26amp%3B%20TLS%2C%20and%20failed%20for%20all%203%2C%20then%20falled%20back%20to%20DNS%20as%20last%20resort.%3C%2FP%3E%0A%3CP%3EThe%20detections%20are%20considering%20this%2C%20so%20in%20some%20cases%2C%20since%20this%20is%20low%20certainty%2C%20it%20might%20affect%20the%20result%20of%20we%20decide%20to%20alert%20or%20not.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-815158%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815158%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E-%20So%20network%20name%20resolution%20is%20done%20on%20information%20in%20the%20packet%2C%20rather%20than%20what%20the%20source%20was%20on%20the%20network%3F%20Or%20is%20it%20a%20combination%20of%20both%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKnowing%20that%20the%20IP%20or%20name%20might%20be%20from%20the%20packet%20can%20at%20least%20assist%20in%20investigations%20so%20you%20don't%20go%20down%20the%20wrong%20rabbit%20hole.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-815275%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815275%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F344092%22%20target%3D%22_blank%22%3E%40archedmeerkat%3C%2FA%3E%26nbsp%3BNo%20sure%20what%20you%20mean%20by%20%22source%20on%20the%20network%22.%3C%2FP%3E%0A%3CP%3EWe%20inspect%20the%20packets%20and%20look%20on%20the%20source%20IP%20of%20the%20packet.%3CBR%20%2F%3EIf%20the%20name%20appears%20in%20the%20packet%20as%20well%20we%20sometime%20use%20it%20too%20(we%20call%20it%20a%20%22hint%22)%20and%20also%20rely%20on%20it%20to%20a%20degree%20as%20it%20can't%20always%20be%20trusted.%3C%2FP%3E%0A%3CP%3EAnyway%2C%20knowing%20the%20IP%20alone%20we%20can't%20tell%20for%20sure%20if%20it's%20public%20or%20private%20or%20vpn%20etc...%20so%20we%20check%20anyway.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-815439%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ATP%20Sensor%20tries%20to%20connect%20to%20public%20IPs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815439%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E-%20Thanks%2C%20this%20answers%20my%20questions%20(specifically%20the%20%22hint%22).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESorry%20I%20wasn't%20clear%20by%20%22source%20on%20the%20network%22%2C%20was%20just%20trying%20to%20specify%20between%20the%20source%20ip%20and%20any%20ip%2Fname%20that%20would%20be%20inside%20the%20packet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

After installing Azure ATP Sensor on a domain controller for testing, I see a number of failed connection attempt to external IPs (specifically our public DNS IPs) on ports 3389, 135, 137 from that domain controller.

 

Ticket# 119080724001601

 

 

11 Replies

@gd-29 

 

This is expected communication and is part of the NNR process AATP uses to resolve the IP address in the network traffic to a computer name. 

 

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-prerequisites#ports

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-nnr-policy

 

Best

Gershon

@Gerson Levitz this makes sense for private IPs, i don't see why it would try to connect public IPs. that also generates a lot of noise on our firewalls / SIEM. it would be ideal to be able to select the IP ranges that i would want the agent to interrogate for this additional info. 

 

@gd-29 

 

Do you have a domain controller with the sensor installed that have public IP addresses? 

@Gerson Levitz no. But after the agent installation i see these connection attempts to our public dns provider (configured on our domain controller dns for dns forwarding). 

@gd-29 

 

Is it possible that the public DNS server is communicating to the domain controller for some reason? 

 

As described in the articles I previously linked to, the Sensor will attempt to communicate on these ports after it sees traffic from an IP address in the traffic of the domain controller. 

@Gerson Levitz 

 

support provided this doc: 

https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-nnr-policy

 

but i still think this is a noisy behavior. 

 

Is it possible that the public DNS server is communicating to the domain controller for some reason? 

-- the public DNS server is replying for the forwarded  public DNS lookup.

 

being that the agent is sized based on packets/sec, i would assume any noisy traffic wouldn't help.

 

@Gerson Levitz 

Is NNR done on the packet source? Or some value within the kerberos or NTLM or other auth mechanism? Or is there a combination?

 

We had an issue where AATP resolved a system at a users home to an errant static IP that was set within the environment. Here is what we saw:

 

  • Computer1 at user's home has nic with IP 1.1.1.1.
  • User connects to VPN. Computer1 at user's home has VPN connection with IP 2.2.2.2.
  • There exists a reverse lookup for 1.1.1.1 in the internal Active Directory DNS environment that points to Computer2, that still exists in Active Directory, though is not in use.
  • User access a cifs resource through VPN tunnel on Computer1.
  • Azure ATP resolves the source for the accessing of the cifs resource to Computer2 using a DNS lookup on 1.1.1.1.

Worth noting that Computer1 was OSX and I'm still not fully sure on the application(s) running that integrate with AD or if it had been "joined" to active directory. Also, 2.2.2.2 did not resolve, though I did not check to see if there was a lookup for it.

 

Just trying to see if implementation of authentication mechanisms can affect name resolution or if it's all coming from lower level networking information.

@archedmeerkat , For this reason (among others) DNS based resolution is only a fallback, and even than it's considered in the system as "low certainty".

We probably tried using netbios , NtlmRPC & TLS, and failed for all 3, then falled back to DNS as last resort.

The detections are considering this, so in some cases, since this is low certainty, it might affect the result of we decide to alert or not. 

@Eli Ofek- So network name resolution is done on information in the packet, rather than what the source was on the network? Or is it a combination of both?

 

Knowing that the IP or name might be from the packet can at least assist in investigations so you don't go down the wrong rabbit hole.

@archedmeerkat No sure what you mean by "source on the network".

We inspect the packets and look on the source IP of the packet.
If the name appears in the packet as well we sometime use it too (we call it a "hint") and also rely on it to a degree as it can't always be trusted.

Anyway, knowing the IP alone we can't tell for sure if it's public or private or vpn etc... so we check anyway.

@Eli Ofek- Thanks, this answers my questions (specifically the "hint").

 

Sorry I wasn't clear by "source on the network", was just trying to specify between the source ip and any ip/name that would be inside the packet.