Good morning
We detect SAMR queries against sensitive users from the ntoskrnl.exe process.
Can you tell us why these queries start?
do you have details to give us?
thank you
Regards
,
Good morning
We detect SAMR queries against sensitive users from the ntoskrnl.exe process.
Can you tell us why these queries start?
do you have details to give us?
thank you
Regards
,
@AlexVavassori-3141 Thanks for reaching out, ntosknrl.exe is one of the central windows kernel process. While this might be a legitimate SAMR request, you would still have to verify if this was obvious from this machine.
This queries start due to requirement of some application to know about the User and group membership for some legitimate task like Identity management, but the same can be utilized by adversaries to do a reconnaissance about User and group memberships.
These also can be used by attackers to map the directory structure and target privileged accounts for later steps in their attack.
The Security Account Manager Remote (SAM-R) protocol is one of the methods used to query the directory to perform this type of mapping.
With Microsoft Defender for Identity, no alerts are triggered in the first month after Defender for Identity is deployed (learning period). During the learning period, Defender for Identity profiles which SAM-R queries are made from which computers, both enumeration and individual queries of sensitive accounts.
Here is how you will investigate it for any machine : https://docs.microsoft.com/en-us/defender-for-identity/investigate-a-computer
Investigate it for any user : https://docs.microsoft.com/en-us/defender-for-identity/investigate-a-user#recommended-investigation-steps-for-suspicious-users
Also understand the process and scope of breach for SAMR for further investigation here :
https://docs.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts#user-and-group-membership-reconnaissance-samr-external-id-2021
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
4 people are following this question.