RDP attempts with Authentication

%3CLINGO-SUB%20id%3D%22lingo-sub-1016005%22%20slang%3D%22en-US%22%3ERDP%20attempts%20with%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016005%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20currently%20receiving%20failed%20RDP%20logon%20attempts%20on%20our%20domain%20controllers%20from%20a%20trusted%20domain%20running%20Azure%20ATP%2C%20our%20colleagues%20managing%20the%20other%20domain%20have%20suggested%20this%20is%20expected%20behaviour%20of%20Azure%20ATP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20read%20the%20documentation%20and%20I'm%20aware%20that%20RDP%20is%20used%20by%26nbsp%3B%3CSPAN%3ENNR%20though%20the%20policy%20documenation%20states%20%22No%20authentication%20is%20performed%20on%20any%20of%20the%20ports.%22%20but%20we're%20seeing%20active%20attempts%20to%20login%20using%20the%20Administrator%20account.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EIs%20this%20expected%20behaviour%3F%20Should%20we%20be%20seeing%20failed%20logon%20attempts%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016415%22%20slang%3D%22en-US%22%3ERe%3A%20RDP%20attempts%20with%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016415%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F461400%22%20target%3D%22_blank%22%3E%40drrnmac%3C%2FA%3E%26nbsp%3B%2C%20No%2C%20this%20is%20not%20expected.%3C%2FP%3E%0A%3CP%3EThe%20NNR%20using%20RDP%20is%20not%20doing%20any%20authentication%2C%20it%20sends%20a%20fixed%20payload%20to%20the%20RDP%20port%20which%20causes%20the%20machine%20to%20report%20back%20meta%20data%20about%20it.%3C%2FP%3E%0A%3CP%3Eat%20this%20point%20the%20session%20is%20ended%20from%20AATP's%20side%20before%20reaching%20to%20the%20authentication%20phase.%3C%2FP%3E%0A%3CP%3EAlso%2C%20for%20NNR%20-%20no%20account%20is%20used%20at%20all.%20certainly%20not%20an%20administrator%20account.%3C%2FP%3E%0A%3CP%3EEven%20for%20AD%20access%20or%20lateral%20movement%2C%20we%20use%20(if%20configured%20correctly)%20a%20low%20privileged%20read%20only%20account.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20get%20RDP%20auths%20using%20Administrator%2C%20I%20suggest%20to%20investigate%2C%20as%20I%20don't%20believe%20those%20are%20initiated%20from%20AATP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1016766%22%20slang%3D%22en-US%22%3ERe%3A%20RDP%20attempts%20with%20Authentication%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1016766%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F106935%22%20target%3D%22_blank%22%3E%40Eli%20Ofek%3C%2FA%3E%26nbsp%3BThanks%20for%20confirming%20and%20the%20quick%20reply%20Eli%2C%20that's%20what%20I%20expected.%20Investigations%20are%20currently%20underway.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We're currently receiving failed RDP logon attempts on our domain controllers from a trusted domain running Azure ATP, our colleagues managing the other domain have suggested this is expected behaviour of Azure ATP.

 

I've read the documentation and I'm aware that RDP is used by NNR though the policy documenation states "No authentication is performed on any of the ports." but we're seeing active attempts to login using the Administrator account.

 

Is this expected behaviour? Should we be seeing failed logon attempts?

2 Replies
Highlighted

@drrnmac , No, this is not expected.

The NNR using RDP is not doing any authentication, it sends a fixed payload to the RDP port which causes the machine to report back meta data about it.

at this point the session is ended from AATP's side before reaching to the authentication phase.

Also, for NNR - no account is used at all. certainly not an administrator account.

Even for AD access or lateral movement, we use (if configured correctly) a low privileged read only account. 

If you get RDP auths using Administrator, I suggest to investigate, as I don't believe those are initiated from AATP.

Highlighted

@Eli Ofek Thanks for confirming and the quick reply Eli, that's what I expected. Investigations are currently underway.