cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SAMR Discovery Process

Bryan Bishop
Brass Contributor

‎Jun 24 2020 09:57 AM

‎Jun 24 2020 09:57 AM

SAMR Discovery Process

For the SAM-R, we understand the following is required "Azure ATP lateral movement path detection relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Azure ATP Service account created during Azure ATP installation.


My question is around the SAM-R process from the sensors to the domain members and network access rules (FW).   Our AD site is a standard hub and spoke with several dozen branch office locations.

What determines which ATP sensor is used to queries a domain members? 
Does the Sensor only perform the SAMR discovery against the domain members in its AD site or some other discovery mechanism? 
Does each domain sensor need SAM-R/SMB access to ALL domain members?  

Example:
AD-Branch1 server only requires TCP445 to networks in Branch1.


Thank you


 

3,623 Views
0 Likes
5 Replies
Reply
5 Replies
Eli Ofek

‎Jun 24 2020 12:53 PM

‎Jun 24 2020 12:53 PM

Re: SAMR Discovery Process

@Bryan Bishop  Some clarifications:

- the account use to authenticate with those SAMR requests is not the service account , but the configured AD/gmsa account in th eportal.

A sensor might issue the inquiry to any endpoint that contacted the DC it is installed on, no matter where it is located.
So all sensors need port access  to all endpoints in the network.

0 Likes
Reply
Bryan Bishop

‎Jun 24 2020 03:53 PM

‎Jun 24 2020 03:53 PM

Re: SAMR Discovery Process

@Eli Ofek Thanks for the reply!

Correct, the gMSA will be used.  

We have a highly segmented environment.   A DC in BO#1 is not permitted to access a domain member in BO#2, firewall rules.   We to allow domain members in a site access to the DC in that site and the DCs in our hub site.  If I understand your reply, we won't have any issues since a DC in BO#2 will never authenticate a endpoint in BO#3, no firewall rules.

In a multiple domain forest, the sensors only perform this SAMR function within the DC's server domain, right? 




 

 

0 Likes
Reply
Eli Ofek

‎Jun 25 2020 06:55 AM

‎Jun 25 2020 06:55 AM

Re: SAMR Discovery Process

@Bryan Bishop NO, SMAR inquiry attempt  is a response to any endpoint that contacts the DC, no matter where it is. if effectively you don't have cross domain/cross forests communication, then effectively it won't happen.

0 Likes
Reply
Bryan Bishop

‎Jun 25 2020 11:14 AM

‎Jun 25 2020 11:14 AM

Re: SAMR Discovery Process

@Eli Ofek 

Hi

Perhaps I'm not explaining myself correctly.  

CL1 resides in BO1 and has network rules to authenticate to BODC1, BHDC1,BHDC2,BHDC3 but will not have network access to BODC2.  Therefore, CL1 will never authenticate to BODC1.

In this scenario, you are stating that BODC1 still requires network access to CL1 located in BO1?



 

0 Likes
Reply
Eli Ofek

‎Jun 27 2020 11:41 PM

‎Jun 27 2020 11:41 PM

Re: SAMR Discovery Process

@Bryan Bishop  If BODC1  never sees network traffic from CL1, then it will never try to actively contact it.

0 Likes
Reply