cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

MDI Lab Question - Issue with Directory Service Enumeration / gMSA / SAM-R Policy

amueller-tf
Brass Contributor

‎Jun 23 2021 07:41 AM - last edited on ‎Nov 30 2021 09:23 AM by

‎Jun 23 2021 07:41 AM - last edited on ‎Nov 30 2021 09:23 AM by

MDI Lab Question - Issue with Directory Service Enumeration / gMSA / SAM-R Policy

Hi,

 

I setup my MDI lab with a Windows 2019 server, created a gMSA and installed the MDI sensor successfully.

In Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Micro... I need to add the Defender for Identity service account to the SAM-R policy. In my case I added the gMSA which I assume is correct.

I am now working my way through the lab playbooks (https://docs.microsoft.com/en-us/defender-for-identity/playbook-reconnaissance#directory-service-enu...) and noticed that I get an 

 

System Error 5 has occurred ... Access Denied

 

error when running the 

 

net user /domain

 

command as user JeffL from VictimPC (Windows 10 1909). When I run the command as domain admin on that workstation it works and I see the proper output which makes sense because the SAM-R policy says that only Domain Administrators and the gMSA are allowed.

 

It looks to me that everything is setup how it should and a non-domain admin is unable to run 

 

net user /domain

 

on that workstation. I'd like to test MDI though and recreate the alerts by using the JeffL user. What am I doing wrong here?

 

Thanks,

Andre

 

1,169 Views
1 Like
4 Replies
Reply
4 Replies
Eli Ofek

‎Jun 23 2021 12:41 PM

‎Jun 23 2021 12:41 PM

Re: MDI Lab Question - Issue with Directory Service Enumeration / gMSA / SAM-R Policy

See
https://docs.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts#user-and-group-membersh...

This alert has a learning period, make sure the conditions you created are applicable to trigger the alert in this case.
0 Likes
Reply
amueller-tf

‎Jun 24 2021 02:06 AM

‎Jun 24 2021 02:06 AM

Re: MDI Lab Question - Issue with Directory Service Enumeration / gMSA / SAM-R Policy

Thanks for the link to the documentation, Eli. That's good to know that there's a learning period.

The problem I have is that I receive an error message when running command "net user /domain" as JeffL in this playbook (https://docs.microsoft.com/en-us/defender-for-identity/playbook-reconnaissance#directory-service-enu...).
The command works if I log into the command line as a domain admin but not as local admin.
0 Likes
Reply
Eli Ofek

‎Jun 24 2021 12:47 PM

‎Jun 24 2021 12:47 PM

Re: MDI Lab Question - Issue with Directory Service Enumeration / gMSA / SAM-R Policy

@amueller-tf If I am not mistaken, in Windows 2019 SAMR is restricted by default, so this is expected that a normal user would fail...

The screenshot from the playbook is from an older OS.

0 Likes
Reply
best response confirmed by amueller-tf (Brass Contributor)
amueller-tf

‎Jun 24 2021 10:52 PM

‎Jun 24 2021 10:52 PM

Solution

Re: MDI Lab Question - Issue with Directory Service Enumeration / gMSA / SAM-R Policy

Ah, thanks again, Eli. I suspected that this would be the case after I read the lab setup again. I guess I made my lab too difficult to hack by using Windows Server 2019 ...
1 Like
Reply