Numerous Reconnaissance using directory services queries on Same Users RRS feed

  • Question

  • Over the past several weeks we receive numerous alerts for Reconnaissance using Directory Services queries for workstations using the SAMPR protocol against one of our DCs.  The query being ran is always against the same two users each time. Not having much luck on tracking down what is the culprit.  Suggestions?  Thoughts?

    Reconnaissance using directory services queries

    The following directory services queries using SAMR protocol were attempted against DC from USER WORKSTATION: Successful query about 2 sensitive users in xxxx.com

    Wednesday, January 31, 2018 2:44 PM

All replies

  • What is the frequency of the incidents?

    If it's not too long, you can record a netmon 3.4 on the source machine to see which process is creating this SAMRs.

    Wednesday, January 31, 2018 10:50 PM