cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reconnaissance using Directory Services queries

ARJ_Cyb
Copper Contributor

‎Sep 16 2021 09:35 PM - last edited on ‎Nov 30 2021 01:41 PM by

‎Sep 16 2021 09:35 PM - last edited on ‎Nov 30 2021 01:41 PM by

Reconnaissance using Directory Services queries

Hi,

I observe SAMR queries from some servers and desktops to Domain controller for various user accounts.

So whenever it's a admin account it triggers the  Reconnaissance using Directory Services queries alert on ATA(Microsoft Advanced Threat Analytics).

For the investigation I tried to use ATA guide  but not sure how to investigate the below?

  1. Are such queries supposed to be made from the source computer in question?

What can be the legitimate cases for SAM-R queries ?

 

Note : This is not related to Lenovo issue with SAMR or WaAppAgent.exe

 

Thanks,

Labels:
2,398 Views
1 Like
1 Reply
Reply
1 Reply
Kausd

‎Mar 14 2022 11:40 PM

‎Mar 14 2022 11:40 PM

Re: Reconnaissance using Directory Services queries

Not sure if you have read about why SAM-R is used in MDI and ATA.

In short we use it for building a lateral movement path for sensitive accounts that are tagged sensitive or because of the nature of group they are in they have been marked sensitive.

https://docs.microsoft.com/en-us/defender-for-identity/install-step8-samr

https://docs.microsoft.com/en-us/defender-for-identity/use-case-lateral-movement-path
0 Likes
Reply