Sep 16 2021 09:35 PM - last edited on Nov 30 2021 01:41 PM by Allen
I observe SAMR queries from some servers and desktops to Domain controller for various user accounts.
So whenever it's a admin account it triggers the Reconnaissance using Directory Services queries alert on ATA(Microsoft Advanced Threat Analytics).
For the investigation I tried to use ATA guide but not sure how to investigate the below?
- Are such queries supposed to be made from the source computer in question?
What can be the legitimate cases for SAM-R queries ?
Note : This is not related to Lenovo issue with SAMR or WaAppAgent.exe