Detail on Network Name Resolution

Copper Contributor

Hello,

 

we are baselining MDI behavior for our SOC - mainly the Network Name Resolution part. We observe that the system contacts devices on the network via SMB, RDP, etc. like expected.

 

However, sometimes the dedicated Service Account is used for this, other times we see the sensor connect with it's machine account. Even worse, on some occasions it does so through NTLM, possibly enabling relay-attacks.

 

What could lead to a sensor performing NNR using it's machine account? Is that even caused by MDI or is it some other component?

 

Also, what could lead to NNR falling back to NTLM? Does it happen when Kerberos does not work (e.g. when time sync is off)? Is it possible to restrict the usage of NTLM in MDI configuration, or does one have to use a GPO for this?

 

Thanks!

2 Replies

@user409 
None of our NNR methods is relying on any auth whatsoever, so what you are seeing cannot be NNR.
My best guess is that you see SAMR calls over SMB, which are  used to remotely detect local group membership on endpoints for lateral movement detection.
For this the sensor will call windows API to perform the query against the name of the machine.
This feature is locked for nego by windows and sadly cannot be "locked" to kerberos only.
So yes, in case where for some reason the kerberos method will fail, it will fallback to NTLM.

Options:
1. check why nego falls to NTLM (bad machine config ?)

2. Lock down NTLM - so NTLM will fail. in which case the query will fail, no detection, but no risk of NTLM usage.

3. disable this detection completely, which means those calls won't happen any more, but you lose this type of detection (need to call support for that).

Hey,

apologies I didn't respond earlier - thanks for the detailed description.
Can you comment on the Documentation stating that "No Authentication is performed on any of the ports"? (https://learn.microsoft.com/en-us/defender-for-identity/nnr-policy)

This would contradict the process as you outlined it. Maybe this should be cleared up in docs?

 

Edit: re-read your answer, I think the issue here is that we were talking about different things. NNR = no auth. SAMR lookup = with auth.


Thanks again!