Forum Discussion
Reconnaissance using Directory Services queries
Hi,
I observe SAMR queries from some servers and desktops to Domain controller for various user accounts.
So whenever it's a admin account it triggers the Reconnaissance using Directory Services...
Kausd
Microsoft
MicrosoftNot sure if you have read about why SAM-R is used in MDI and ATA.
In short we use it for building a lateral movement path for sensitive accounts that are tagged sensitive or because of the nature of group they are in they have been marked sensitive.
https://docs.microsoft.com/en-us/defender-for-identity/install-step8-samr
https://docs.microsoft.com/en-us/defender-for-identity/use-case-lateral-movement-path
In short we use it for building a lateral movement path for sensitive accounts that are tagged sensitive or because of the nature of group they are in they have been marked sensitive.
https://docs.microsoft.com/en-us/defender-for-identity/install-step8-samr
https://docs.microsoft.com/en-us/defender-for-identity/use-case-lateral-movement-path