Reconnaissance using Directory Services queries

%3CLINGO-SUB%20id%3D%22lingo-sub-2758943%22%20slang%3D%22en-US%22%3EReconnaissance%20using%20Directory%20Services%20queries%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2758943%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI%20observe%20SAMR%20queries%20from%20some%20servers%20and%20desktops%20to%20Domain%20controller%20for%20various%20user%20accounts.%3C%2FP%3E%3CP%3ESo%20whenever%20it's%20a%20admin%20account%20it%20triggers%20the%26nbsp%3B%20Reconnaissance%20using%20Directory%20Services%20queries%20alert%20on%20ATA(%3CSPAN%3EMicrosoft%26nbsp%3B%3C%2FSPAN%3EAdvanced%20Threat%20Analytics).%3C%2FP%3E%3CP%3EFor%20the%20investigation%20I%20tried%20to%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fadvanced-threat-analytics%2Fsuspicious-activity-guide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EATA%20guide%26nbsp%3B%3C%2FA%3E%26nbsp%3Bbut%20not%20sure%20how%20to%20investigate%20the%20below%3F%3C%2FP%3E%3COL%3E%3CLI%3EAre%20such%20queries%20supposed%20to%20be%20made%20from%20the%20source%20computer%20in%20question%3F%3C%2FLI%3E%3C%2FOL%3E%3CP%3EWhat%20can%20be%20the%20legitimate%20cases%20for%20SAM-R%20queries%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%20%3A%20This%20is%20not%20related%20to%20Lenovo%20issue%20with%20SAMR%20or%26nbsp%3BWaAppAgent.exe%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi,

I observe SAMR queries from some servers and desktops to Domain controller for various user accounts.

So whenever it's a admin account it triggers the  Reconnaissance using Directory Services queries alert on ATA(Microsoft Advanced Threat Analytics).

For the investigation I tried to use ATA guide  but not sure how to investigate the below?

  1. Are such queries supposed to be made from the source computer in question?

What can be the legitimate cases for SAM-R queries ?

 

Note : This is not related to Lenovo issue with SAMR or WaAppAgent.exe

 

Thanks,

0 Replies
www.000webhost.com