SAM-R Downgrade Attack Vulnerability in Defender for Identity

By /

Listen to this Post

Featured Image
Microsoft has identified a critical vulnerability related to SAM-R (Security Account Manager Remote Protocol) when used with Microsoft Defender for Identity. This downgrade attack could allow attackers to bypass security controls, prompting Microsoft to disable SAM-R queries in the coming weeks.

Affected Versions:

  • Only the classic sensor (legacy) is vulnerable.
  • The newer XDR agent sensor (3.x) is not affected.

Limitations:

  • The new sensor requires Windows Server 2019 or later.
  • Some detections are still being rewritten for the new sensor.

Mitigation Steps:

1. Disable SAM-R queries if still in use.

  1. Migrate to the XDR agent sensor (if running Server 2019+).

3. Monitor Microsoft’s updates for detection improvements.

πŸ”— Reference: Microsoft Security Advisory

You Should Know:

1. Checking SAM-R Usage in Your Environment

Use PowerShell to detect SAM-R usage:

Get-WinEvent -LogName "Security" | Where-Object { $<em>.Id -eq 4661 -and $</em>.Properties[bash].Value -like "SAMR" }

2. Disabling SAM-R Protocol via GPO

  • Open Group Policy Management Editor (gpedit.msc).
  • Navigate to: 
    Computer Configuration β†’ Windows Settings β†’ Security Settings β†’ Local Policies β†’ Security Options
  • Set “Network access: Restrict clients allowed to make remote calls to SAM” to Deny.

3. Monitoring with Defender for Identity

Check for suspicious SAM-R activity using Advanced Hunting:

DeviceEvents
| where ActionType == "SamrQueryInformationUser"
| summarize count() by DeviceName, InitiatingProcessAccountName

4. Migrating to XDR Agent Sensor

  • Prerequisite: Windows Server 2019 or later.
  • Steps: 
    Uninstall classic sensor
Uninstall-Module -Name "MicrosoftDefenderForIdentity" -Force 
Install XDR agent
Install-Module -Name "MicrosoftDefenderForCloud" -Force

5. Alternative: Restrict SAM-R via Firewall

Block SAM-R (TCP 445) for unnecessary systems:

 Linux (iptables)
sudo iptables -A INPUT -p tcp --dport 445 -j DROP

 Windows (Firewall Rule)
New-NetFirewallRule -DisplayName "Block SAM-R" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block

What Undercode Say:

This SAM-R downgrade attack highlights the risks of legacy protocols in modern security architectures. Organizations must:
– Audit SAM-R usage (Get-SmbSession).
– Enforce SMB signing (Set-SmbClientConfiguration -RequireSecuritySignature $true).
– Monitor for NTLM relay attacks (Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4768}).
– Consider disabling NTLM (New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5).

πŸ”Ή Expected Output:

  • A hardened Active Directory with restricted SAM-R access.
  • Logging enabled for SAM-R-related events.
  • Migration to XDR sensor for Server 2019+ environments.

Prediction:

As attackers increasingly exploit legacy protocols, Microsoft will likely deprecate SAM-R entirely in favor of modern authentication methods like Kerberos AES encryption. Organizations should prepare for stricter default security policies in future Windows updates.

References:

Reported By: Nathanmcnulty If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass βœ…

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ Telegram

Related Posts: