Forum Discussion

Brass Contributor

Jun 24, 2020

SAMR Discovery Process

For the SAM-R, we understand the following is required "Azure ATP lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with t...

Icon for Microsoft rank

Microsoft

Jun 24, 2020

bryanb Some clarifications:

- the account use to authenticate with those SAMR requests is not the service account , but the configured AD/gmsa account in th eportal.

A sensor might issue the inquiry to any endpoint that contacted the DC it is installed on, no matter where it is located.
So all sensors need port access to all endpoints in the network.

bryanb
Brass Contributor
Jun 24, 2020
EliOfek Thanks for the reply!

Correct, the gMSA will be used.

We have a highly segmented environment. A DC in BO#1 is not permitted to access a domain member in BO#2, firewall rules. We to allow domain members in a site access to the DC in that site and the DCs in our hub site. If I understand your reply, we won't have any issues since a DC in BO#2 will never authenticate a endpoint in BO#3, no firewall rules.

In a multiple domain forest, the sensors only perform this SAMR function within the DC's server domain, right?
- EliOfek
  Microsoft
  Jun 25, 2020
  bryanb NO, SMAR inquiry attempt is a response to any endpoint that contacts the DC, no matter where it is. if effectively you don't have cross domain/cross forests communication, then effectively it won't happen.
  - bryanb
    Brass Contributor
    Jun 25, 2020
    EliOfek
    
    Hi
    
    Perhaps I'm not explaining myself correctly.
    
    CL1 resides in BO1 and has network rules to authenticate to BODC1, BHDC1,BHDC2,BHDC3 but will not have network access to BODC2. Therefore, CL1 will never authenticate to BODC1.
    
    In this scenario, you are stating that BODC1 still requires network access to CL1 located in BO1?