locked
Directory enumeration using SAMR RRS feed

  • Question

  • I need some help here on understanding this alert and to act upon. I know that this is to identify any AD enumerations from a threat actor perspective. I see lots of alerts from this. Need to figure out whether they are TPs. 


    Thursday, May 25, 2017 2:54 PM

All replies

  • Hello,

    Security account manager remote protocol (SAMR) provides management functionality that is useful for manipulating an account database consisting of users, groups and other security principals. An attacker can potentially exploit this protocol to enumerate a list of accounts and groups as shown in the ATA alert below. 

    An investigation should include confirming whether running scanning tools is allowed from the computer in question, and whether the account itself is permitted to do so. Its also important to investigate the source computer for unknown services or software that maybe initiating this process.


    Best regards,
    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 29, 2017 9:42 AM
  • Thanks for the reply. I would like to request you to be more precise when you say Unknown services or software that may be initiating this process with some examples apart from Mimikatz.
    Friday, June 23, 2017 2:18 PM
  • Hello,

    ATA only can monitor the activities of users, groups or computers. It can't detect the specific service or software.

    If you need to find out the program, which initiates this process, I would recommend to use other tools, such as Network Monitor.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 3, 2017 5:57 AM
  • Thanks for your Reply, Andy. would like to search as per your suggestion. 
    Thursday, July 13, 2017 12:40 PM