Forum Discussion

Armpenu's avatar
Armpenu
Copper Contributor
Sep 13, 2022
Solved

GMSA account accessing server apps

We have deployed Microsoft Defender for Identity on our tenant,  and we have questions about why the GMSA is connecting to different app servers and IPs.

We would like to understand why this is happening. SAMR is not implemented yet.

 

Please let me know if more information is needed.

logging
microsoft 365 defender
Sensor
  • Martin_Schvartzman's avatar
    Martin_Schvartzman
    Sep 15, 2022

    Armpenu 

    The SAM-R calls are made towards the remote devices to get information on the local groups and memberships for calculating the potential lateral movement paths. Not to detect any actual lateral moment activity.

    It is auto enabled, but you need to configure the GPO for the identity making those calls to have the required permissions to get the information needed.

     

    I hope this clarifies the issue and answers your question.

  • Armpenu's avatar
    Armpenu
    Copper Contributor
    Sep 13, 2022

    Armpenu 

    This is an example list of the connection we have seen.

    DateApp Server NameUserConnection IPCount
    8/3/2022***323SVC-MDI-GMSA10.38.0.15112
    8/4/2022***323SVC-MDI-GMSA10.38.0.1518
    8/5/2022***322SVC-MDI-GMSA10.231.128.248
    8/7/2022***323SVC-MDI-GMSA10.38.0.1516
    8/8/2022***323SVC-MDI-GMSA10.38.0.1516
    8/10/2022***322SVC-MDI-GMSA10.245.32.198
    8/11/2022***324SVC-MDI-GMSA10.212.192.814
    8/11/2022***325SVC-MDI-GMSA10.212.192.8112
    8/11/2022***326SVC-MDI-GMSA10.212.192.818
    8/12/2022***324SVC-MDI-GMSA10.212.192.8132
    8/12/2022***325SVC-MDI-GMSA10.212.192.8152
    8/12/2022***326SVC-MDI-GMSA10.212.192.8168
    8/13/2022***322SVC-MDI-GMSA10.207.224.58
    8/13/2022***324SVC-MDI-GMSA10.212.192.8128
    8/13/2022***325SVC-MDI-GMSA10.212.192.8148
    8/13/2022***326SVC-MDI-GMSA10.212.192.8172
    8/14/2022***300SVC-MDI-GMSA10.212.192.814
    8/14/2022***322SVC-MDI-GMSA10.231.128.248
    8/14/2022***324SVC-MDI-GMSA10.212.192.8136
    • Martin_Schvartzman's avatar
      Martin_Schvartzman
      Icon for Microsoft rankMicrosoft
      Sep 14, 2022

      Armpenu 

      SAM-R is (auto) enabled in MDI whether you set up the GPO and permissions or not.

      MDI sensors initiate SAM-R calls to an endpoint in response to a network activity reaching the DC from that endpoint. It doesn't query the device all the time for all activities, it will skip the call if it was queried before, and the answer is still in the cache (valid for 1 hr.).

       

      • Armpenu's avatar
        Armpenu
        Copper Contributor
        Sep 14, 2022

        Martin_Schvartzman 

        I appreciate the answer, I have additional questions.

        Why is it necessary to setup the GPO if that is the case?
        What differences will be noticed once the SAM-R GPO is put into place?

         

        Please let me know if where our understanding is correct or not:
        What you mean is SAM-R is auto enabled in MDI, meaning sensors will start scanning the endpoints for the lateral moment, however you would have to update the SAM-R group policy in individual endpoints for capturing the actual lateral moment activities.


        In a few words, SAM-R is auto enabled, however for capturing the details successfully we need to make SAM-R GPO changes for individual endpoints.

Resources