Secure Access Cloud

  • Private Community
 View Only

Back to discussions
Expand all | Collapse all

TDAD generates incidents due to RDP connection attempts through the RDP App in Symantec ZTNA

  • 1.  TDAD generates incidents due to RDP connection attempts through the RDP App in Symantec ZTNA

    Posted Mar 04, 2026 09:18 PM

    Good evening, everyone.

    A couple of weeks ago, I configured a TDAD policy in which I enabled all the options under Policy Options. Under Enforcement mode, they are all set to log, and I have no exceptions. Everything was working fine, and I could even access the servers via RDP through a ZTNA segment application.

    A couple of days ago, I configured two RDP applications (native and browser mode) for a user who has no administrative privileges except on one server. When I tried to use these policies, I started receiving multiple TDAD incidents with medium priority with the description DCSync Post-Compromise attack observed on A02ETACETUH.

    To elaborate further, I will share two events that are created dozens of times:

    NT SERVICE\ADSync attempted abusing domain replication protocol from miiserver.exe. DCSync Attack targeting 1 host(s) was Detected.

    DESCRIPTION

    Observed an attempt by an unauthorized actor to perform AD Sync Replication. This could indicate DC Sync technique usage to potentially request high privileged domain credentials from your Domain Controllers.

    MESSAGE

    8040-Host Network Detection

    EVENT TYPE ID

    1-Security

    CATEGORY

    Mar 4, 2026, 8:30:39 PM

    TIME

    TDAD_PROTECT

    FEATURE NAME

    aanamgoluh

    USER

    14-Host Network Detection - Detected

    DISPOSITION

    A02ETACETUH

    DEVICE NAME

    192.168.10.14

    DEVICE IP

    Default/SRV/Virtuales/01.GENERAL

    DEVICE GROUP

    TDAD_GLOBAL

    POLICY NAME

    Details

    Connections

    COLLAPSE ALL SECTIONS

    SHOW EMPTY VALUES

     Device

    Device Name

    A02ETACETUH

    Device Domain

    agoludshysla.loc

    Device Group

    Default/SRV/Virtuales/01.GENERAL

    Device IP

    192.168.10.14

    Device Public IP

    196.29.79.171

    Device OS Name

    Windows Server 2019 Standard Edition

    Device OS Type

    100-Windows

    Device Location On Premises

    No

    Device Location Desc

    Default

     Actor Process

    Actor File Name

    miiserver.exe

    Actor File Path

    c:\program files\microsoft azure ad sync\bin\miiserver.exe

    Actor File SHA2

    E78C4C4EBB125CE38D04F91F2930F44FAA0A68332EC5F06616AFF579675BD538

    Actor File SHA1

    AB8181AC2483C8EA74F4A077D3029D300953DBC5

    Actor File MD5

    B859DC4599965C15E275FDB52D050B25

    Actor File Created

    Aug 15, 2025, 1:50:44 AM

    Actor Command Line

    "C:\Program Files\Microsoft Azure AD Sync\Bin\miiserver.exe"

    Actor Process Id

    4060

    Actor Uid

    7C970DE9-17EE-F1F1-84A9-E095FC29096A

    Actor Process Session Id

    0

    Actor File Company Name

    Microsoft Corporation

    Actor File Signature Value Ids

    1-Signed,2-Code signed,3-Class 3 signed,5-Microsoft signed,16-Trustworthy,17-Well known trusted root certificate,18-Heuristically trustworthy,20-Signature uses SHA-256

    Actor Session Id

    0

    Actor Session Remote

    No

    Actor Session Auth Protocol Id

    2-Kerberos

    Actor Session Logon Type Id

    4-Network

    Actor Session User Name

    ADSync

    Actor Session User Domain

    NT SERVICE

    Actor Session User Logon Name

    NT SERVICE\ADSync

    Actor Session User Is Admin

    No

     Parent Process Info

    Parent Process Name

    services.exe

    Parent File Path

    c:\windows\system32\services.exe

    Parent Process SHA2

    243E370C279B3B8062E5DD81D8DF539705397CC68472168251ED54134B13D70B

    Parent File Sha1

    582A7CBF0BF13889080900CD7BEA368BF77F8FAF

    Parent File Md5

    0D464C4BF9D85412D6EF15EEA3A91E72

    Parent File Created

    Apr 13, 2023, 7:36:18 PM

    Parent File Folder

    c:\windows\system32\

    Parent Cmd Line

    C:\WINDOWS\system32\services.exe

    Parent Pid

    764

    Parent Uid

    7C970CBC-17EE-F1F1-84A9-60ABC5EF1DD4

    Parent Process Session Id

    0

    Parent File Signature Company Name

    Microsoft Corporation

     User Information

    User Name

    aanamgoluh

     Operation Attempted

    Reason Id

    2-Threat Detection

     Device Networks

    Device Network IPv4Device Network IPv6Device Network Mac192.168.10.14

    fe80::1ac1:7587:ffb4:fb0a

    00:50:56:A8:7D:DD

     MITRE ATT&CK

    ATT&CK Technique UidATT&CK Technique NameATT&CK Tactic UidsT1003.006

    OS Credential Dumping: DCSync

    TA0006

     Event Information

    Event Type Id

    8040-Host Network Detection

    Event Type

    NETWORK_DETECTION

    Disposition

    14-Host Network Detection - Detected

    Category

    1-Security

    Severity

    4-Major

    Time

    Mar 4, 2026, 8:30:39 PM

    End Time

    Mar 4, 2026, 8:30:39 PM

    Device Time

    Mar 4, 2026, 8:30:39 PM

    Device End Time

    Mar 4, 2026, 8:30:39 PM

    Count

    1

    User

    aanamgoluh

    Uuid

    8040:eb25caf0-1832-11f1-f935-00000e8b1b6c

     Policy

    Policy Name

    TDAD_GLOBAL

    Policy Version

    37

     Status

    Message

    Observed an attempt by an unauthorized actor to perform AD Sync Replication. This could indicate DC Sync technique usage to potentially request high privileged domain credentials from your Domain Controllers.

    Status Detail

    192.168.10.12

     Product

    Product Name

    Symantec Endpoint Security

    Product Version

    14.3.12167.10000

    Feature Name

    TDAD_PROTECT

    and this other one

    AGOLUDSHYSLA\pGMSA_b464af09$ attempted abusing domain replication protocol from aadconnectprovisioningagent.exe. DCSync Attack targeting 1 host(s) was Detected.

    DESCRIPTION

    Observed an attempt by an unauthorized actor to perform AD Sync Replication. This could indicate DC Sync technique usage to potentially request high privileged domain credentials from your Domain Controllers.

    MESSAGE

    8040-Host Network Detection

    EVENT TYPE ID

    1-Security

    CATEGORY

    Mar 4, 2026, 12:14:31 PM

    TIME

    TDAD_PROTECT

    FEATURE NAME

    aanamgoluh

    USER

    14-Host Network Detection - Detected

    DISPOSITION

    A02ETACETUH

    DEVICE NAME

    192.168.0.14

    DEVICE IP

    Default/SRV/Virtuales/01.GENERAL

    DEVICE GROUP

    TDAD_GLOBAL

    POLICY NAME

    Details

    Connections

    COLLAPSE ALL SECTIONS

    SHOW EMPTY VALUES

     Device

    Device Name

    A02ETACETUH

    Device Domain

    agoludshysla.loc

    Device Group

    Default/SRV/Virtuales/01.GENERAL

    Device IP

    192.168.10.14

    Device Public IP

    196.29.79.171

    Device OS Name

    Windows Server 2019 Standard Edition

    Device OS Type

    100-Windows

    Device Location On Premises

    No

    Device Location Desc

    Default

     Actor Process

    Actor File Name

    aadconnectprovisioningagent.exe

    Actor File Path

    c:\program files\microsoft azure ad connect provisioning agent\aadconnectprovisioningagent.exe

    Actor File SHA2

    4FF96B8290AEF709E3EF8A0CB0F164D562AEF9C5F17DEC25DA3D10F3CF0ECC25

    Actor File SHA1

    AC8E94A60BC080C2CE3110C62D9D5BF4F1047694

    Actor File MD5

    E6AD1DF6998382B359226CC27DBFC362

    Actor File Created

    Mar 14, 2024, 11:04:58 PM

    Actor Command Line

    "C:\Program Files\Microsoft Azure AD Connect Provisioning Agent\AADConnectProvisioningAgent.exe"

    Actor Process Id

    1628

    Actor Uid

    EA17F01E-1466-F1F1-84A8-E095FC29096A

    Actor Process Session Id

    0

    Actor File Company Name

    Microsoft Corporation

    Actor File Signature Value Ids

    1-Signed,2-Code signed,3-Class 3 signed,5-Microsoft signed,16-Trustworthy,17-Well known trusted root certificate,18-Heuristically trustworthy,20-Signature uses SHA-256

    Actor Session Id

    0

    Actor Session Remote

    No

    Actor Session Auth Protocol Id

    1-NTLM

    Actor Session Logon Type Id

    0-sym-ui-sedr.db-search-schema.enums.actor.session.logon_type_id.0

    Actor Session User Name

    pGMSA_b464af09$

    Actor Session User Domain

    AGOLUDSHYSLA

    Actor Session User Logon Name

    AGOLUDSHYSLA\pGMSA_b464af09$

    Actor Session User Is Admin

    No

     User Sessions

    Sessions RemoteSessions Auth Protocol IdSessions Logon Type IdSessions User NameSessions User DomainSessions User Logon NameSessions User Is AdminYes

    2-Kerberos

    1-Interactive

    aanamgoluh

    AGOLUDSHYSLA

    AGOLUDSHYSLA\aanamgoluh

    Yes

     Parent Process Info

    Parent Process Name

    services.exe

    Parent File Path

    c:\windows\system32\services.exe

    Parent Process SHA2

    243E370C279B3B8062E5DD81D8DF539705397CC68472168251ED54134B13D70B

    Parent File Sha1

    582A7CBF0BF13889080900CD7BEA368BF77F8FAF

    Parent File Md5

    0D464C4BF9D85412D6EF15EEA3A91E72

    Parent File Created

    Apr 13, 2023, 7:36:18 PM

    Parent File Folder

    c:\windows\system32\

    Parent Cmd Line

    C:\WINDOWS\system32\services.exe

    Parent Pid

    768

    Parent Uid

    EA17EDD5-1466-F1F1-84A8-60ABC5EF1DD4

    Parent Process Session Id

    0

    Parent File Signature Company Name

    Microsoft Corporation

     User Information

    User Name

    aanamgoluh

     Operation Attempted

    Reason Id

    2-Threat Detection

     Device Networks

    Device Network IPv4Device Network IPv6Device Network Mac192.168.10.14

    fe80::1ac1:7587:ffb4:fb0a

    00:50:56:A8:7D:DD

     MITRE ATT&CK

    ATT&CK Technique UidATT&CK Technique NameATT&CK Tactic UidsT1003.006

    OS Credential Dumping: DCSync

    TA0006

     Event Information

    Event Type Id

    8040-Host Network Detection

    Event Type

    NETWORK_DETECTION

    Disposition

    14-Host Network Detection - Detected

    Category

    1-Security

    Severity

    4-Major

    Time

    Mar 4, 2026, 12:14:31 PM

    End Time

    Mar 4, 2026, 12:14:33 PM

    Device Time

    Mar 4, 2026, 12:14:31 PM

    Device End Time

    Mar 4, 2026, 12:14:33 PM

    Count

    2

    User

    aanamgoluh

    Uuid

    8040:9bce1ba0-17ed-11f1-cc84-00000dd2089a

     Policy

    Policy Name

    TDAD_GLOBAL

    Policy Version

    37

     Status

    Message

    Observed an attempt by an unauthorized actor to perform AD Sync Replication. This could indicate DC Sync technique usage to potentially request high privileged domain credentials from your Domain Controllers.

    Status Detail

    192.168.10.12

     Product

    Product Name

    Symantec Endpoint Security

    Product Version

    14.3.12167.10000

    Feature Name

    TDAD_PROTECT

    The A02ETACETUH server is the one that synchronizes Active Directory with ENTRA, but it is not the one you want to reach via RDP. For now, the only thing that has worked for me to prevent incidents from occurring and for the RDP application to work is to remove the TDAD policy from the group to which the A02ETACETUH server belongs. 


    Is that the correct way to solve it? In other words, should I not apply TDAD to the server that performs the synchronization functions with ENTRA (Azure), or should I make an exception in the TDAD policy since I don't have one?


    I would appreciate your help in clearing up my doubts, and if there is a best practice for TDAD, I would welcome it with open arms.

    Regards,



    -------------------------------------------