Directory enumeration using SAMR

All replies

• 

  

  0

  Sign in to vote

  Hello,
  
  Security account manager remote protocol (SAMR) provides management functionality that is useful for manipulating an account database consisting of users, groups and other security principals. An attacker can potentially exploit this protocol to enumerate a list of accounts and groups as shown in the ATA alert below. 
  
  An investigation should include confirming whether running scanning tools is allowed from the computer in question, and whether the account itself is permitted to do so. Its also important to investigate the source computer for unknown services or software that maybe initiating this process.
  
  
  Best regards,
  Andy Liu
  

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Monday, May 29, 2017 9:42 AM
• 

  

  0

  Sign in to vote

  Thanks for the reply. I would like to request you to be more precise when you say Unknown services or software that may be initiating this process with some examples apart from Mimikatz.

  Friday, June 23, 2017 2:18 PM
• 

  

  0

  Sign in to vote

  Hello,

  ATA only can monitor the activities of users, groups or computers. It can't detect the specific service or software.

  If you need to find out the program, which initiates this process, I would recommend to use other tools, such as Network Monitor.

  Best regards,

  Andy Liu

  ---

  Please remember to mark the replies as answers if they help.
  If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

  Monday, July 3, 2017 5:57 AM
• 

  

  0

  Sign in to vote

  Thanks for your Reply, Andy. would like to search as per your suggestion. 

  Thursday, July 13, 2017 12:40 PM