Microsoft Defender for Identity: Investigate User and group membership reconnaissance (SAMR)

New Contributor


We are using Microsoft Defender for Identity within our network. 
After the grace period of 4 weeks we started to receive these alerts: 
User and group membership reconnaissance (SAMR)


When investigating these alerts in Microsoft 365 Defender, we are able to see when these SAMR queries are performed as well as the source and destination host. This lead us to believe that the alerts are being triggered by some sort of tooling which is performing SAMR queries at random times. 

When trying to pinpoint the process/tooling triggering these alerts using advanced hunting, we are only able to see that the queries are being triggered by a Kernel process ran by the System user. 
This can be reproduced by running the "net user /domain"  command from a domain joined, MSDE enrolled device. 

So far we have been unable to pinpoint the process, it even seems like the data inside the Threat hunting results is not always correct (wrong source IP, ...). After discussing this with Microsoft support we are still unable to pinpoint the process triggering these queries. 

It might be possible that the Defender for Identity sensors are triggering these alerts but we cannot find any evidence on that. Is it possible to investigate where the SAMR queries that are triggering these alerts come from? 

Kind regards, 

0 Replies