SOLVED

MDI Lab Question - Issue with Directory Service Enumeration / gMSA / SAM-R Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-2475504%22%20slang%3D%22en-US%22%3EMDI%20Lab%20Question%20-%20Issue%20with%20Directory%20Service%20Enumeration%20%2F%20gMSA%20%2F%20SAM-R%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2475504%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20setup%20my%20MDI%20lab%20with%20a%20Windows%202019%20server%2C%20created%20a%20gMSA%20and%20installed%20the%20MDI%20sensor%20successfully.%3C%2FP%3E%3CP%3EIn%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Finstall-step8-samr%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20SAM-R%20to%20enable%20lateral%20movement%20path%20detection%20in%20Microsoft%20Defender%20for%20Identity%20%7C%20Microsoft%20Docs%3C%2FA%3E%20I%20need%20to%20add%20the%20Defender%20for%20Identity%20service%20account%20to%20the%20SAM-R%20policy.%20In%20my%20case%20I%20added%20the%20gMSA%20which%20I%20assume%20is%20correct.%3C%2FP%3E%3CP%3EI%20am%20now%20working%20my%20way%20through%20the%20lab%20playbooks%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fplaybook-reconnaissance%23directory-service-enumeration-via-net-from-victimpc%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Fplaybook-reconnaissance%23directory-service-enumeration-via-net-from-victimpc%3C%2FA%3E)%20and%20noticed%20that%20I%20get%20an%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ESystem%20Error%205%20has%20occurred%20...%20Access%20Denied%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eerror%20when%20running%20the%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Enet%20user%20%2Fdomain%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecommand%20as%20user%20JeffL%20from%20VictimPC%20(Windows%2010%201909).%20When%20I%20run%20the%20command%20as%20domain%20admin%20on%20that%20workstation%20it%20works%20and%20I%20see%20the%20proper%20output%20which%20makes%20sense%20because%20the%20SAM-R%20policy%20says%20that%20only%20Domain%20Administrators%20and%20the%20gMSA%20are%20allowed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20looks%20to%20me%20that%20everything%20is%20setup%20how%20it%20should%20and%20a%20non-domain%20admin%20is%20unable%20to%20run%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3Enet%20user%20%2Fdomain%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eon%20that%20workstation.%20I'd%20like%20to%20test%20MDI%20though%20and%20recreate%20the%20alerts%20by%20using%20the%20JeffL%20user.%20What%20am%20I%20doing%20wrong%20here%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EAndre%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2475504%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMDI%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2478027%22%20slang%3D%22en-US%22%3ERe%3A%20MDI%20Lab%20Question%20-%20Issue%20with%20Directory%20Service%20Enumeration%20%2F%20gMSA%20%2F%20SAM-R%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2478027%22%20slang%3D%22en-US%22%3ESee%20%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Freconnaissance-alerts%23user-and-group-membership-reconnaissance-samr-external-id-2021%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-for-identity%2Freconnaissance-alerts%23user-and-group-membership-reconnaissance-samr-external-id-2021%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThis%20alert%20has%20a%20learning%20period%2C%20make%20sure%20the%20conditions%20you%20created%20are%20applicable%20to%20trigger%20the%20alert%20in%20this%20case.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

I setup my MDI lab with a Windows 2019 server, created a gMSA and installed the MDI sensor successfully.

In Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Micro... I need to add the Defender for Identity service account to the SAM-R policy. In my case I added the gMSA which I assume is correct.

I am now working my way through the lab playbooks (https://docs.microsoft.com/en-us/defender-for-identity/playbook-reconnaissance#directory-service-enu...) and noticed that I get an 

 

System Error 5 has occurred ... Access Denied

 

error when running the 

 

net user /domain

 

command as user JeffL from VictimPC (Windows 10 1909). When I run the command as domain admin on that workstation it works and I see the proper output which makes sense because the SAM-R policy says that only Domain Administrators and the gMSA are allowed.

 

It looks to me that everything is setup how it should and a non-domain admin is unable to run 

 

net user /domain

 

on that workstation. I'd like to test MDI though and recreate the alerts by using the JeffL user. What am I doing wrong here?

 

Thanks,

Andre

 

4 Replies
See
https://docs.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts#user-and-group-membersh...

This alert has a learning period, make sure the conditions you created are applicable to trigger the alert in this case.
Thanks for the link to the documentation, Eli. That's good to know that there's a learning period.

The problem I have is that I receive an error message when running command "net user /domain" as JeffL in this playbook (https://docs.microsoft.com/en-us/defender-for-identity/playbook-reconnaissance#directory-service-enu...).
The command works if I log into the command line as a domain admin but not as local admin.

@amueller-tf If I am not mistaken, in Windows 2019 SAMR is restricted by default, so this is expected that a normal user would fail...

The screenshot from the playbook is from an older OS.

best response confirmed by amueller-tf (Occasional Contributor)
Solution
Ah, thanks again, Eli. I suspected that this would be the case after I read the lab setup again. I guess I made my lab too difficult to hack by using Windows Server 2019 ...
www.000webhost.com