Blog Post

Detecting Security Events Using the MS-SAMR Protocol

Overview

In this blog post, we will look at methods for detecting security events using network traffic analysis of the MS-SAMR: Security Account Manager (SAM) Remote Protocol (Client-to-Server).

Net (net.exe) commands are often used by attackers and insiders to enumerate target network information, change passwords, and create users. Monitoring for MS-SAMR related activities, allows us to detect and respond to this behavior that is often an important part of attacks such as ransomware.

The purpose of SAM Remote Protocol is to provide management functionality for the account store or directories containing users and group objects. It exposes the Microsoft Authentication Services protocol (MS-AUTHSOD) for local and remote domains.

A good first step when exploring any Windows remote protocol is to first determine the UUID assigned to it. This can be found in the protocol documents for the respective protocol.

MS-SAMR is assigned the following UUID per the protocol documentation found here.

12345778-1234-abcd-ef00-0123456789ac

Once you have the UUID, a good place to start is GitHub. Simply paste the UUID in there and search All GitHub. It is then useful to filter by Python and or Ruby and then sort by Recently Indexed. Python is a good bet to filter the results, as a lot of people use this language and it is usually the first POC code you see released when a new vulnerability is disclosed.

Scroll through and look for code of interest.

MS-SAMR Protocol Graphical user interface, text, applicationDescription automatically generated

A very good piece of code that provides a lot of information on SAMR is Impacket’s MS-SAMR interface implementation.

In the Arista NDR platform searching for the SAMR protocol can be accomplished in two ways. You can search by “friendly name” or UUID.

activity.dcerpc.call.interface == SAMR
activity.dcerpc.call.interface.uuid == 12345778-1234-abcd-ef00-0123456789ac

Using the platform to search over a one day period we can see several associated SAMR protocol activities. We also see the calling operation 64 (SamrConnect5 – detailed below) in the two activities highlighted below.

MS-SAMR Protocol-A screenshot of a computerDescription automatically generated with medium confidence

Creating a user via SAMR Protocol

Below we will look at the SAMR protocol methods called to create a user via the Net command.

In this example the username, “manu” is the user we will create.

net user /add manu <password> /domain

When successful, a context server handle will be returned to allow subsequent Remote Procedure Calls (RPCs) from the client to the server instance that is maintaining context for the client.

SamrConnect5 (Opnum 64): When a user is created over the network, this is the first method called. It is used to obtain a handle to a server object. The destination IP/system for this connection will be a domain controller and the system name will be represented as the null-terminated NETBIOS name of the server.

An example can be seen here where the SamrConnect5 method is called, and the handle returned.

MS-SAMR Protocol

SamrEnumerateDomainsInSamServer (Opnum 6) is used to obtain a listing of all domains hosted by the server-side of the protocol. It uses the connect handle (representing a server object) returned by SamrConnect5 to make its connection to the server.

This method returns the list of domain names and consequently the count as seen in the samEntries column here. In this example, we have LAB and Builtin.

MS-SAMR Protocol 2

SamrLookupDomainInSamServer (Opnum 5) uses the established context handle to return the SID of a domain object, given the object’s name obtained from the SamrEnumerateDomainsInSamServer method. In our example, we passed in the domain “LAB” and received a SID value corresponding to that domain in response.

MS-SAMR Protocol -Graphical user interface, application, websiteDescription automatically generated

SamrOpenDomain (Opnum 7) obtains a handle to a domain object, using the SID returned by the previous SamrLookupDomainInSamServer method.

MS-SAMR Protocol-A picture containing textDescription automatically generated

SamrCreateUser2InDomain (Opnum 50) is used to create a user. It connects using the domain handle returned from the SamrOpenDomain response.

In this example the method contains the Name of the user to be created and the account type. An account according to the MS-SAMR protocol documentation is a user (including machine accounts), group or alias object.

In the network traffic we can see that the Account Name is identified as manu:

MS-SAMR Protocol-Graphical user interface, text, applicationDescription automatically generated

The response from this method is a user handle object that is used for subsequent methods calls.

MS-SAMR Protocol-A picture containing graphical user interfaceDescription automatically generated

SamrQueryInformationUser (Opnum 36) is used to obtain attributes from a user object using the user object handle returned by SamrCreateUser2InDomain.

SamrQueryInformationUser returns the UserInformationClass as a USER_CONTROL_INFORMATION structure that indicates how to interpret the buffer parameter for SamrSetInformationUser2 described below. The common user fields can be found in the protocol documentation.

MS-SAMR Protocol-Graphical user interface, application, WordDescription automatically generated

SamrGetUserDomainPasswordInformation (Opnum 44) is also invoked using the user handle returned from SamrCreateUser2InDomain. It obtains select password policy information.

MS-SAMR Protocol-Graphical user interface, text, application, websiteDescription automatically generated

This method returns a PUSER_DOMAIN_PASSWORD_INFORMATION PasswordInformation structure which includes the minimum password length and password properties for the user’s domain.

Here we can see that there is a minimum password length of 7 and domain password complexity is enabled.

MS-SAMR Protocol-TableDescription automatically generated

SamrSetInformationUser2 (Opnum 58) is used to update attributes on a user object. The input is USER_INFORMATION_CLASS UserInformationClass.

The information returned adheres to the SAMPR_USER_INTERNAL4_INFORMATION_NEW structure and holds all attributes of a user which are described in detail in section 2.2.6.1 Common User Fields of the SAMR protocol document; along with the encrypted password (which is salted).

typedef struct _SAMPR_USER_INTERNAL4_INFORMATION_NEW {

SAMPR_USER_ALL_INFORMATION I1;

SAMPR_ENCRYPTED_USER_PASSWORD_NEW UserPassword;

} SAMPR_USER_INTERNAL4_INFORMATION_NEW,*PSAMPR_USER_INTERNAL4_INFORMATION_NEW;

In Wireshark, this is the view that you would be shown where the Info25 contains the user attributes described above.

MS-SAMR Protocol-TextDescription automatically generated

The response contains no additional outputs except for SUCCESS or an ERROR.

Graphical user interface, text, applicationDescription automatically generated

Close Requests: Lastly, tearing down of the handles are accomplished by issuing Close requests to close out the server, domain, and user handles.

Graphical user interface, text, emailDescription automatically generated

Detection

Methods for detection of user account creations via net user are quite simple using Arista NDR. Even though in total there are 8 methods called, there are three that when chained make a good detection candidate.

SamrCreateUser2InDomain

We know that SamrCreateUser2InDomain returns a user object handle and it is necessary when creating an account object. We will first look for this method.

activity.dcerpc.call.interface == SAMR && activity.dcerpc.call.opnum == 50 /* SamrCreateUser2InDomain */

SamrGetUserDomainPasswordInformation

Since other net actions can call SamrQueryInformationUser – for example when changing user attributes such as a full name – we will look for SamrGetUserDomainPasswordInformation to narrow the results of the query down to the particular activity we are interested in.

If the SamrCreateUser2InDomain methods above fails because the account exists or some other reason, we won’t reach the SamrGetUserDomainPasswordInformation and we will know an account wasn’t successfully created.

activity.dcerpc.call.interface == SAMR&& activity.dcerpc.call.opnum == 44 /* SamrGetUserDomainPasswordInformation */

SamrSetInformationUser2

Lastly, we will look for SamrSetInformationUser2 so we know the attributes were set. If this is successful, then the account was successfully created.

activity.dcerpc.call.interface == SAMR && activity.dcerpc.call.opnum == 58 /* SamrSetInformationUser2 */

The Model

The complete model will look like the example below. This model requires all three of the methods to be observed within 30 seconds in total.

model

"models.persistence.remoteUserAccountCreation"

[

  (activity.dcerpc.call.interface == SAMR &&                            activity.dcerpc.call.opnum == 50 /* SamrCreateUser2InDomain */ ),

  (activity.dcerpc.call.interface == SAMR && activity.dcerpc.call.opnum == 44 /* SamrGetUserDomainPasswordInformation */),

  (activity.dcerpc.call.interface == SAMR&& activity.dcerpc.call.opnum == 58 /* SamrSetInformationUser2 */)

]

(model.filter.differentActivityWithinTimeWindow ["device.guid" 30s)

Detection

This model was recently alerted on a recent incident response engagement Awake Labs investigated where the threat actors created a user account that was subsequently used to carry out additional lateral movement and compromise.

A screenshot of a computerDescription automatically generated

And a look at the PCAP extracted from the Arista NDR platform.

Graphical user interface, applicationDescription automatically generated

Conclusion

Monitoring the SAMR protocol is key to identifying lateral movement, privilege escalation, credential abuse, and persistence. It can help identify instances whereby accounts are created or modified. Identifying this attack tactic as early as possible is therefore critical to impeding the attackers’ progress and expanding the scope of the investigation by sweeping for use of the attacker-created account.

Contributors

Thanks to Kieran Evans for contributing to the research and blog post.

Subscribe!

If you liked what you just read, subscribe to hear about our threat research and security analysis.

Patrick Olsen
Patrick Olsen

Director, Awake Labs