SOLVED

GMSA account accessing server apps

New Contributor

We have deployed Microsoft Defender for Identity on our tenant,  and we have questions about why the GMSA is connecting to different app servers and IPs.

We would like to understand why this is happening. SAMR is not implemented yet.

 

Please let me know if more information is needed.

6 Replies

@Armpenu 

This is an example list of the connection we have seen.

DateApp Server NameUserConnection IPCount
8/3/2022***323SVC-MDI-GMSA10.38.0.15112
8/4/2022***323SVC-MDI-GMSA10.38.0.1518
8/5/2022***322SVC-MDI-GMSA10.231.128.248
8/7/2022***323SVC-MDI-GMSA10.38.0.1516
8/8/2022***323SVC-MDI-GMSA10.38.0.1516
8/10/2022***322SVC-MDI-GMSA10.245.32.198
8/11/2022***324SVC-MDI-GMSA10.212.192.814
8/11/2022***325SVC-MDI-GMSA10.212.192.8112
8/11/2022***326SVC-MDI-GMSA10.212.192.818
8/12/2022***324SVC-MDI-GMSA10.212.192.8132
8/12/2022***325SVC-MDI-GMSA10.212.192.8152
8/12/2022***326SVC-MDI-GMSA10.212.192.8168
8/13/2022***322SVC-MDI-GMSA10.207.224.58
8/13/2022***324SVC-MDI-GMSA10.212.192.8128
8/13/2022***325SVC-MDI-GMSA10.212.192.8148
8/13/2022***326SVC-MDI-GMSA10.212.192.8172
8/14/2022***300SVC-MDI-GMSA10.212.192.814
8/14/2022***322SVC-MDI-GMSA10.231.128.248
8/14/2022***324SVC-MDI-GMSA10.212.192.8136

@Armpenu 

SAM-R is (auto) enabled in MDI whether you set up the GPO and permissions or not.

MDI sensors initiate SAM-R calls to an endpoint in response to a network activity reaching the DC from that endpoint. It doesn't query the device all the time for all activities, it will skip the call if it was queried before, and the answer is still in the cache (valid for 1 hr.).

 

@Martin_Schvartzman 

I appreciate the answer, I have additional questions.

Why is it necessary to setup the GPO if that is the case?
What differences will be noticed once the SAM-R GPO is put into place?

 

Please let me know if where our understanding is correct or not:
What you mean is SAM-R is auto enabled in MDI, meaning sensors will start scanning the endpoints for the lateral moment, however you would have to update the SAM-R group policy in individual endpoints for capturing the actual lateral moment activities.


In a few words, SAM-R is auto enabled, however for capturing the details successfully we need to make SAM-R GPO changes for individual endpoints.

best response confirmed by Armpenu (New Contributor)
Solution

@Armpenu 

The SAM-R calls are made towards the remote devices to get information on the local groups and memberships for calculating the potential lateral movement paths. Not to detect any actual lateral moment activity.

It is auto enabled, but you need to configure the GPO for the identity making those calls to have the required permissions to get the information needed.

 

I hope this clarifies the issue and answers your question.

Martin,
Your time and expertise are appreciated. Thanks!
I am in the process of deploying MDI (drafting the Change Request). Are you installing your Sensors on Server 2012 or 2016? In 2012, the GPO for SAMR does not exist in the UI and I believe I would need to explicitly define this GPO via the registry. Just wondering if anyone has any experience with this yet.