Security Account Manager (SAM) Remote Protocol (MS-SAMR)
- 12345778-1234-ABCD-EF00-0123456789AC
samsrv.dll(loads into)lsass.exe
- ncacn_ip_tcp
- ncacn_np:
\PIPE\lsassalias\pipe\samr
-
Network:
- Network traffic over
\pipe\samror\pipe\lsass - Destination port: 445
- Methods:
SamrOpenDomainSamrOpenGroupSamrLookupNamesSamrQueryInformationGroupSamrEnumerateDomainsInSamServerSamrEnumerateGroupsInDomainSamrEnumerateAliasesInDomainSamrEnumerateUsersInDomain
- Network traffic over
-
Host:
- Event ID 5145:
- Share Name:
\\*\IPC$ - Relative Target Name:
samr - Access Mask:
0x12019f(Rights could be potentially less depending on the method called. Test was done via net.exe) - Object Type:
File - Look at Source Address when investigating
- Share Name:
- Event ID 5145:
-
Add RestrictRemoteSam in HKLM/System/CurrentControlSet/Control/Lsa to O:SYG:SYD:(A;;RC;;;BA) to only allow Local Admin (on DC)/Remote SAM User Group
- Tool that does this: https://github.com/shmitty275/powershell/blob/master/SAMRi10.ps1
-
RPC Filter Example:
rpc
filter
add rule layer=um actiontype=permit
add condition field=if_uuid matchtype=equal data=12345778-1234-ABCD-EF00-0123456789AC
add condition field=remote_user_token matchtype=equal data=D:(A;;RC;;;BA)
add filter
add rule layer=um actiontype=block
add condition field=if_uuid matchtype=equal data=e3514235-4b06-11d1-ab04-00c04fc2dcd2
add filter
quit
- RPC Filter to only allow local admins to use SAMR
- Often seen with BH activity. Look for connection to named pipe (both client and server)
- Server, domain, group, alias and user can be read/read through SAMR.
- User, group and alias can be created/deleted
- MDI has alert set up that will trigger after first month: https://docs.microsoft.com/en-us/defender-for-identity/reconnaissance-alerts
- If RPC Filter is applied, set up a "Remote SAM Group" and apply them to the filter