This repository is meant as a continuation of the Protocol Examples section of [MS-SAMR]. The intention is to give the examples of the protocol flow we would see in network traces or some other advanced debugging when common SAM-R operations are performed against a domain controller.
Security Account Manager Remote Protocol is used by the operating system during many harmless operations. However it can also be used by a malicious actors to perform reconaissance tasks. The repository gives examples of different operations and their associated sequences when SAM-R is used by the OS or potentially by a malicious actor.
SAM-R on the network can just be the result of a benign script or application call.
- System.DirectoryServices.AccountManagement wraps ADSI and can lead to SAM-R call to a domain controller.
- ADSI and the WinNT provider also can lead to SAM-R calls (example: in PowerShell
[ADSI]"WinNT://contoso.com/Bob,user"will generate multiples SAM-R calls). - The
net.exe(and its friendnet1.exe) will use SAM-R against a domain controller (example:net users /domain).
π Creating a user account (example from [MS-SAMR] 1 other example available in [MS-ADOD]).
π Enabling a user account (example from [MS-SAMR]) 1
π Creating a group
π Changing an account's password
π Querying a user account's information
π Querying a group's details and its members
π Querying the domain's account policy
π Enumerating all user accounts