cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

GMSA account accessing server apps

Armpenu
Copper Contributor

‎Sep 13 2022 11:11 AM

‎Sep 13 2022 11:11 AM

GMSA account accessing server apps

We have deployed Microsoft Defender for Identity on our tenant,  and we have questions about why the GMSA is connecting to different app servers and IPs.

We would like to understand why this is happening. SAMR is not implemented yet.

 

Please let me know if more information is needed.

1,684 Views
0 Likes
6 Replies
Reply
6 Replies
Armpenu

‎Sep 13 2022 12:55 PM

‎Sep 13 2022 12:55 PM

Re: GMSA account accessing server apps

@Armpenu 

This is an example list of the connection we have seen.

DateApp Server NameUserConnection IPCount
8/3/2022***323SVC-MDI-GMSA10.38.0.15112
8/4/2022***323SVC-MDI-GMSA10.38.0.1518
8/5/2022***322SVC-MDI-GMSA10.231.128.248
8/7/2022***323SVC-MDI-GMSA10.38.0.1516
8/8/2022***323SVC-MDI-GMSA10.38.0.1516
8/10/2022***322SVC-MDI-GMSA10.245.32.198
8/11/2022***324SVC-MDI-GMSA10.212.192.814
8/11/2022***325SVC-MDI-GMSA10.212.192.8112
8/11/2022***326SVC-MDI-GMSA10.212.192.818
8/12/2022***324SVC-MDI-GMSA10.212.192.8132
8/12/2022***325SVC-MDI-GMSA10.212.192.8152
8/12/2022***326SVC-MDI-GMSA10.212.192.8168
8/13/2022***322SVC-MDI-GMSA10.207.224.58
8/13/2022***324SVC-MDI-GMSA10.212.192.8128
8/13/2022***325SVC-MDI-GMSA10.212.192.8148
8/13/2022***326SVC-MDI-GMSA10.212.192.8172
8/14/2022***300SVC-MDI-GMSA10.212.192.814
8/14/2022***322SVC-MDI-GMSA10.231.128.248
8/14/2022***324SVC-MDI-GMSA10.212.192.8136
0 Likes
Reply
Martin_Schvartzman

‎Sep 14 2022 02:28 AM

‎Sep 14 2022 02:28 AM

Re: GMSA account accessing server apps

@Armpenu 

SAM-R is (auto) enabled in MDI whether you set up the GPO and permissions or not.

MDI sensors initiate SAM-R calls to an endpoint in response to a network activity reaching the DC from that endpoint. It doesn't query the device all the time for all activities, it will skip the call if it was queried before, and the answer is still in the cache (valid for 1 hr.).

 

2 Likes
Reply
Armpenu

‎Sep 14 2022 08:04 AM

‎Sep 14 2022 08:04 AM

Re: GMSA account accessing server apps

@Martin_Schvartzman 

I appreciate the answer, I have additional questions.

Why is it necessary to setup the GPO if that is the case?
What differences will be noticed once the SAM-R GPO is put into place?

 

Please let me know if where our understanding is correct or not:
What you mean is SAM-R is auto enabled in MDI, meaning sensors will start scanning the endpoints for the lateral moment, however you would have to update the SAM-R group policy in individual endpoints for capturing the actual lateral moment activities.


In a few words, SAM-R is auto enabled, however for capturing the details successfully we need to make SAM-R GPO changes for individual endpoints.

0 Likes
Reply
best response confirmed by Armpenu (Copper Contributor)
Martin_Schvartzman

‎Sep 15 2022 08:47 AM

‎Sep 15 2022 08:47 AM

Solution

Re: GMSA account accessing server apps

@Armpenu 

The SAM-R calls are made towards the remote devices to get information on the local groups and memberships for calculating the potential lateral movement paths. Not to detect any actual lateral moment activity.

It is auto enabled, but you need to configure the GPO for the identity making those calls to have the required permissions to get the information needed.

 

I hope this clarifies the issue and answers your question.

2 Likes
Reply
Armpenu

‎Sep 15 2022 09:28 AM

‎Sep 15 2022 09:28 AM

Re: GMSA account accessing server apps

Martin,
Your time and expertise are appreciated. Thanks!
1 Like
Reply
moderncloud

‎Sep 15 2022 12:41 PM

‎Sep 15 2022 12:41 PM

Re: GMSA account accessing server apps

I am in the process of deploying MDI (drafting the Change Request). Are you installing your Sensors on Server 2012 or 2016? In 2012, the GPO for SAMR does not exist in the UI and I believe I would need to explicitly define this GPO via the registry. Just wondering if anyone has any experience with this yet.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Armpenu (Copper Contributor)
Martin_Schvartzman

‎Sep 15 2022 08:47 AM

‎Sep 15 2022 08:47 AM

Solution

Re: GMSA account accessing server apps

@Armpenu 

The SAM-R calls are made towards the remote devices to get information on the local groups and memberships for calculating the potential lateral movement paths. Not to detect any actual lateral moment activity.

It is auto enabled, but you need to configure the GPO for the identity making those calls to have the required permissions to get the information needed.

 

I hope this clarifies the issue and answers your question.

View solution in original post

2 Likes
Reply