Forum Discussion

Armpenu's avatar
Armpenu
Copper Contributor
Sep 13, 2022
Solved

GMSA account accessing server apps

We have deployed Microsoft Defender for Identity on our tenant,  and we have questions about why the GMSA is connecting to different app servers and IPs. We would like to understand why this is happ...
logging
microsoft 365 defender
Sensor
  • Martin_Schvartzman's avatar
    Martin_Schvartzman
    Sep 15, 2022

    Armpenu 

    The SAM-R calls are made towards the remote devices to get information on the local groups and memberships for calculating the potential lateral movement paths. Not to detect any actual lateral moment activity.

    It is auto enabled, but you need to configure the GPO for the identity making those calls to have the required permissions to get the information needed.

     

    I hope this clarifies the issue and answers your question.

Armpenu's avatar
Armpenu
Copper Contributor
Sep 13, 2022

Armpenu 

This is an example list of the connection we have seen.

DateApp Server NameUserConnection IPCount
8/3/2022***323SVC-MDI-GMSA10.38.0.15112
8/4/2022***323SVC-MDI-GMSA10.38.0.1518
8/5/2022***322SVC-MDI-GMSA10.231.128.248
8/7/2022***323SVC-MDI-GMSA10.38.0.1516
8/8/2022***323SVC-MDI-GMSA10.38.0.1516
8/10/2022***322SVC-MDI-GMSA10.245.32.198
8/11/2022***324SVC-MDI-GMSA10.212.192.814
8/11/2022***325SVC-MDI-GMSA10.212.192.8112
8/11/2022***326SVC-MDI-GMSA10.212.192.818
8/12/2022***324SVC-MDI-GMSA10.212.192.8132
8/12/2022***325SVC-MDI-GMSA10.212.192.8152
8/12/2022***326SVC-MDI-GMSA10.212.192.8168
8/13/2022***322SVC-MDI-GMSA10.207.224.58
8/13/2022***324SVC-MDI-GMSA10.212.192.8128
8/13/2022***325SVC-MDI-GMSA10.212.192.8148
8/13/2022***326SVC-MDI-GMSA10.212.192.8172
8/14/2022***300SVC-MDI-GMSA10.212.192.814
8/14/2022***322SVC-MDI-GMSA10.231.128.248
8/14/2022***324SVC-MDI-GMSA10.212.192.8136
Martin_Schvartzman's avatar
Martin_Schvartzman
Icon for Microsoft rankMicrosoft
Sep 14, 2022

Armpenu 

SAM-R is (auto) enabled in MDI whether you set up the GPO and permissions or not.

MDI sensors initiate SAM-R calls to an endpoint in response to a network activity reaching the DC from that endpoint. It doesn't query the device all the time for all activities, it will skip the call if it was queried before, and the answer is still in the cache (valid for 1 hr.).

 

  • Armpenu's avatar
    Armpenu
    Copper Contributor
    Sep 14, 2022

    Martin_Schvartzman 

    I appreciate the answer, I have additional questions.

    Why is it necessary to setup the GPO if that is the case?
    What differences will be noticed once the SAM-R GPO is put into place?

     

    Please let me know if where our understanding is correct or not:
    What you mean is SAM-R is auto enabled in MDI, meaning sensors will start scanning the endpoints for the lateral moment, however you would have to update the SAM-R group policy in individual endpoints for capturing the actual lateral moment activities.


    In a few words, SAM-R is auto enabled, however for capturing the details successfully we need to make SAM-R GPO changes for individual endpoints.

    • Martin_Schvartzman's avatar
      Martin_Schvartzman
      Icon for Microsoft rankMicrosoft
      Sep 15, 2022

      Armpenu 

      The SAM-R calls are made towards the remote devices to get information on the local groups and memberships for calculating the potential lateral movement paths. Not to detect any actual lateral moment activity.

      It is auto enabled, but you need to configure the GPO for the identity making those calls to have the required permissions to get the information needed.

       

      I hope this clarifies the issue and answers your question.

      • Armpenu's avatar
        Armpenu
        Copper Contributor
        Sep 15, 2022
        Martin,
        Your time and expertise are appreciated. Thanks!

Resources