Alert: Server sent suspicious SAMR queries to DC

Gopi Ponnusamy 41 Reputation points
2021-10-01T13:55:53.33+00:00

Hi Guys,

We are getting alert like "Server-A sent suspicious SAMR queries to DC-1" from Azure ATP ; we have observed random servers.

can anyone help me to understand why this alert trigger
and how identify its legitimate or suspicious.

Thanks in advance.!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,235 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee
    2021-10-01T20:49:20.113+00:00

    SAM-R offers a way to enumurate some info remotely on Windows systems (mostly used for users and groups).

    Azure ATP (well MDI, Microsoft Defender for Identity as it is called now) is keeping track of those enumerations. After a learning period of 15 days, if a machine starts making those enumeration differently (more often, or with different scopes) then MDI triggers an alert as it could be the sign of an attacker performing reconnaisance actions.

    In your case, to investigate the alert, you will need to understand what triggers that request on that machine. It could be a new application, a new script, a new scheduled tasks. You can also look at the machine entity page and see if there are other alerts or unusual things (like new users connecting to that server, or a lot of failed authentications). More info here: https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts#user-and-group-membership-reconnaissance-samr-external-id-2021

    3 people found this answer helpful.
    0 comments No comments

  2. Limitless Technology 39,511 Reputation points
    2021-10-04T09:47:27.37+00:00

    Hi there,

    Microsoft Threat Protection can automatically prevent attacks and reduce their persistence to keep them from rising again, prioritize events for investigation and reply, auto-heal assets, and gives cross-domain hunting.

    This might help you in Understanding the security alerts
    https://learn.microsoft.com/en-us/defender-for-identity/understanding-security-alerts

    This thread discusses the same topic
    https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/samr-queries-from-specific-server-not-computer/m-p/331031

    ------------------------------------------------------------------------------------------------------------------------------

    If the reply is helpful, please Upvote and Accept it as an answer

    0 comments No comments