Forum Discussion

bryanb's avatar
bryanb
Brass Contributor
Jun 24, 2020

SAMR Discovery Process

For the SAM-R, we understand the following is required "Azure ATP lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with t...
EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Jun 25, 2020

bryanb NO, SMAR inquiry attempt  is a response to any endpoint that contacts the DC, no matter where it is. if effectively you don't have cross domain/cross forests communication, then effectively it won't happen.

bryanb's avatar
bryanb
Brass Contributor
Jun 25, 2020

EliOfek 

Hi

Perhaps I'm not explaining myself correctly.  

CL1 resides in BO1 and has network rules to authenticate to BODC1, BHDC1,BHDC2,BHDC3 but will not have network access to BODC2.  Therefore, CL1 will never authenticate to BODC1.

In this scenario, you are stating that BODC1 still requires network access to CL1 located in BO1?



 

  • EliOfek's avatar
    EliOfek
    Icon for Microsoft rankMicrosoft
    Jun 27, 2020

    bryanb  If BODC1  never sees network traffic from CL1, then it will never try to actively contact it.