question

39311615 avatar image
0 Votes"
39311615 asked vipulsparsh-MSFT answered

SAMR queries from ntoskrnl.exe

Good morning
We detect SAMR queries against sensitive users from the ntoskrnl.exe process.
Can you tell us why these queries start?
do you have details to give us?

thank you
Regards


,132362-screenshot-1.png


microsoft-sentinel
screenshot-1.png (33.7 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered

@AlexVavassori-3141 Thanks for reaching out, ntosknrl.exe is one of the central windows kernel process. While this might be a legitimate SAMR request, you would still have to verify if this was obvious from this machine.

This queries start due to requirement of some application to know about the User and group membership for some legitimate task like Identity management, but the same can be utilized by adversaries to do a  reconnaissance about User and group memberships.
These also can be used by attackers to map the directory structure and target privileged accounts for later steps in their attack.

The Security Account Manager Remote (SAM-R) protocol is one of the methods used to query the directory to perform this type of mapping.
With Microsoft Defender for Identity, no alerts are triggered in the first month after Defender for Identity is deployed (learning period). During the learning period, Defender for Identity profiles which SAM-R queries are made from which computers, both enumeration and individual queries of sensitive accounts.

Here is how you will investigate it for any machine : https://docs.microsoft.com/en-us/defender-for-identity/investigate-a-computer
Investigate it for any user : https://docs.microsoft.com/en-us/defender-for-identity/investigate-a-user#recommended-investigation-steps-for-suspicious-users


Also understand the process and scope of breach for SAMR for further investigation here :
https://docs.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts#user-and-group-membership-reconnaissance-samr-external-id-2021



Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.






5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.