GMSA account accessing server apps

Armpenu · ‎Sep 13 2022

We have deployed Microsoft Defender for Identity on our tenant, and we have questions about why the GMSA is connecting to different app servers and IPs.

We would like to understand why this is happening. SAMR is not implemented yet.

Please let me know if more information is needed.

Armpenu · ‎Sep 13 2022

@Armpenu

This is an example list of the connection we have seen.

Date	App Server Name	User	Connection IP	Count
8/3/2022	***323	SVC-MDI-GMSA	10.38.0.151	12
8/4/2022	***323	SVC-MDI-GMSA	10.38.0.151	8
8/5/2022	***322	SVC-MDI-GMSA	10.231.128.24	8
8/7/2022	***323	SVC-MDI-GMSA	10.38.0.151	6
8/8/2022	***323	SVC-MDI-GMSA	10.38.0.151	6
8/10/2022	***322	SVC-MDI-GMSA	10.245.32.19	8
8/11/2022	***324	SVC-MDI-GMSA	10.212.192.81	4
8/11/2022	***325	SVC-MDI-GMSA	10.212.192.81	12
8/11/2022	***326	SVC-MDI-GMSA	10.212.192.81	8
8/12/2022	***324	SVC-MDI-GMSA	10.212.192.81	32
8/12/2022	***325	SVC-MDI-GMSA	10.212.192.81	52
8/12/2022	***326	SVC-MDI-GMSA	10.212.192.81	68
8/13/2022	***322	SVC-MDI-GMSA	10.207.224.5	8
8/13/2022	***324	SVC-MDI-GMSA	10.212.192.81	28
8/13/2022	***325	SVC-MDI-GMSA	10.212.192.81	48
8/13/2022	***326	SVC-MDI-GMSA	10.212.192.81	72
8/14/2022	***300	SVC-MDI-GMSA	10.212.192.81	4
8/14/2022	***322	SVC-MDI-GMSA	10.231.128.24	8
8/14/2022	***324	SVC-MDI-GMSA	10.212.192.81	36

Martin_Schvartzman · ‎Sep 14 2022

@Armpenu

SAM-R is (auto) enabled in MDI whether you set up the GPO and permissions or not.

MDI sensors initiate SAM-R calls to an endpoint in response to a network activity reaching the DC from that endpoint. It doesn't query the device all the time for all activities, it will skip the call if it was queried before, and the answer is still in the cache (valid for 1 hr.).

Armpenu · ‎Sep 14 2022

@Martin_Schvartzman

I appreciate the answer, I have additional questions.

Why is it necessary to setup the GPO if that is the case?
What differences will be noticed once the SAM-R GPO is put into place?

Please let me know if where our understanding is correct or not:
What you mean is SAM-R is auto enabled in MDI, meaning sensors will start scanning the endpoints for the lateral moment, however you would have to update the SAM-R group policy in individual endpoints for capturing the actual lateral moment activities.

In a few words, SAM-R is auto enabled, however for capturing the details successfully we need to make SAM-R GPO changes for individual endpoints.

Armpenu · ‎Sep 15 2022

@Armpenu

The SAM-R calls are made towards the remote devices to get information on the local groups and memberships for calculating the potential lateral movement paths. Not to detect any actual lateral moment activity.

It is auto enabled, but you need to configure the GPO for the identity making those calls to have the required permissions to get the information needed.

I hope this clarifies the issue and answers your question.

Armpenu · ‎Sep 15 2022

Martin,
Your time and expertise are appreciated. Thanks!

moderncloud · ‎Sep 15 2022

I am in the process of deploying MDI (drafting the Change Request). Are you installing your Sensors on Server 2012 or 2016? In 2012, the GPO for SAMR does not exist in the UI and I believe I would need to explicitly define this GPO via the registry. Just wondering if anyone has any experience with this yet.

GMSA account accessing server apps

GMSA account accessing server apps

Re: GMSA account accessing server apps

Re: GMSA account accessing server apps

Re: GMSA account accessing server apps

Re: GMSA account accessing server apps

Re: GMSA account accessing server apps

Re: GMSA account accessing server apps

Products (51)

Special Topics (28)

Video Hub (447)

Most Active Hubs

Most Active Hubs

Video Hub

GMSA account accessing server apps