Reconnaissance using Directory Services queries

Copper Contributor

Hi,

I observe SAMR queries from some servers and desktops to Domain controller for various user accounts.

So whenever it's a admin account it triggers the  Reconnaissance using Directory Services queries alert on ATA(Microsoft Advanced Threat Analytics).

For the investigation I tried to use ATA guide  but not sure how to investigate the below?

  1. Are such queries supposed to be made from the source computer in question?

What can be the legitimate cases for SAM-R queries ?

 

Note : This is not related to Lenovo issue with SAMR or WaAppAgent.exe

 

Thanks,

1 Reply
Not sure if you have read about why SAM-R is used in MDI and ATA.

In short we use it for building a lateral movement path for sensitive accounts that are tagged sensitive or because of the nature of group they are in they have been marked sensitive.

https://docs.microsoft.com/en-us/defender-for-identity/install-step8-samr

https://docs.microsoft.com/en-us/defender-for-identity/use-case-lateral-movement-path