Forum Discussion

bryanb's avatar
bryanb
Brass Contributor
Jun 24, 2020

SAMR Discovery Process

For the SAM-R, we understand the following is required "Azure ATP lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with t...
bryanb's avatar
bryanb
Brass Contributor
Jun 24, 2020

EliOfek Thanks for the reply!

Correct, the gMSA will be used.  

We have a highly segmented environment.   A DC in BO#1 is not permitted to access a domain member in BO#2, firewall rules.   We to allow domain members in a site access to the DC in that site and the DCs in our hub site.  If I understand your reply, we won't have any issues since a DC in BO#2 will never authenticate a endpoint in BO#3, no firewall rules.

In a multiple domain forest, the sensors only perform this SAMR function within the DC's server domain, right? 




 

 

EliOfek's avatar
EliOfek
Icon for Microsoft rankMicrosoft
Jun 25, 2020

bryanb NO, SMAR inquiry attempt  is a response to any endpoint that contacts the DC, no matter where it is. if effectively you don't have cross domain/cross forests communication, then effectively it won't happen.

  • bryanb's avatar
    bryanb
    Brass Contributor
    Jun 25, 2020

    EliOfek 

    Hi

    Perhaps I'm not explaining myself correctly.  

    CL1 resides in BO1 and has network rules to authenticate to BODC1, BHDC1,BHDC2,BHDC3 but will not have network access to BODC2.  Therefore, CL1 will never authenticate to BODC1.

    In this scenario, you are stating that BODC1 still requires network access to CL1 located in BO1?



     

    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft
      Jun 27, 2020

      bryanb  If BODC1  never sees network traffic from CL1, then it will never try to actively contact it.