SAM-R Traces

This repository is meant as a continuation of the Protocol Examples section of [MS-SAMR]. The intention is to give the examples of the protocol flow we would see in network traces or some other advanced debugging when common SAM-R operations are performed against a domain controller.

Security Account Manager Remote Protocol is used by the operating system during many harmless operations. However it can also be used by a malicious actors to perform reconaissance tasks. The repository gives examples of different operations and their associated sequences when SAM-R is used by the OS or potentially by a malicious actor.

Actions known to use SAM-R

SAM-R on the network can just be the result of a benign script or application call.

• System.DirectoryServices.AccountManagement wraps ADSI and can lead to SAM-R call to a domain controller.
• ADSI and the WinNT provider also can lead to SAM-R calls (example: in PowerShell [ADSI]"WinNT://contoso.com/Bob,user" will generate multiples SAM-R calls).
• The net.exe (and its friend net1.exe) will use SAM-R against a domain controller (example: net users /domain).

Examples of SAM-R flows

🔎 Creating a user account (example from [MS-SAMR] ¹ other example available in [MS-ADOD]).

🔎 Enabling a user account (example from [MS-SAMR]) ¹

🔎 Creating a group

🔎 Changing an account's password

🔎 Querying a user account's information

🔎 Querying a group's details and its members

🔎 Querying the domain's account policy

🔎 Enumerating all user accounts

🔎 Enumerating all groups

Footnotes

1. These examples are not the only possible ways to interact with a SamServer to perform those actions. ↩ ↩²