Over the past several weeks we receive numerous alerts for Reconnaissance using Directory Services queries for workstations using the SAMPR protocol against one of our DCs. The query being ran is always against the same two users each time. Not having
much luck on tracking down what is the culprit. Suggestions? Thoughts?
Reconnaissance using directory services queries
The following directory services queries using SAMR protocol were attempted against DC from USER WORKSTATION: Successful query about 2 sensitive users in xxxx.com
