Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Traffic to external IP’s over port 3389 (RDP) after installing ATP sensor

Copper Contributor

Hello,

We have installed ATP sensor on, on-premises DC's .
However, after installation we have traffic to external IP’s over port 3389 (RDP) which is being blocked at Zscaler level. Just wanted to know if there is specific application or task making the connection to external IP’s . And is this expected behavior .... If yes, can you please explain a bit on this process.

9 Replies
Hi Eli,

Thanks for your reply ,
Just wanted to clarify one point, should MDI Sensor be trying to RDP for purposes of NNR against external IPs? wanted to know this because there are quite some RDP deny alerts for external IP's.
NNR is reactive. if your DC got a connection from an external IP, then yes, we will try to NNR it as well, we currently do not filter "external IPs".
I would carefully check why an external IP can contact your DC directly, and if this is intentional.
Hi. Old question but still relevant.

We had the same issue and investigated. The external IPs did not started the connections with the DCs.
Reviewing the IP list they were external DNS servers, so our DC queried (started connections) them about records. This was the only explanation we got.

Can we assume the ATP uses NNR onde all IPs the DC interacts, even when the domain controller starts the connection itself?

@piovisqui Which type of connection did the DC start ? 
was it bi directional ? if yes, then we will monitor the reply as it's a connection into the DC.

The DC started a DNS query. It ended with aged-out state and we have sent and received bytes. Does it satisfy the bi-direction requirement you mention?

@piovisqui on which port did you get the traffic from outside ? was it a standard DNS port ?

@piovisqui So the DC initiated a DNS query to an external address on port UDP 53 ?
Do you happen to know what was the query (if you managed to capture the data ) ?

Do you know for sure that the request came from the sensor process?

In general, this can happen only if the DC previously got some sort of connection from this address.