Defender : Remote SAM database query of type ‘QueryUser’ for the account – User and group membership reconnaissance (SAMR) – Welcome to Pariswells.com

Defender : Remote SAM database query of type ‘QueryUser’ for the account – User and group membership reconnaissance (SAMR)

May 21, 2025
Research
0 Comments
paris

We recently had a defender incident where a device was involved in User and group membership reconnaissance (SAMR)

Checking the device a powershell script had been run with the command

select * from Win32_UserAccount

If you perform a WMI query such as “SELECT * from Win32_UserAccount” it will actually return all domain accounts regardless if they’ve logged in and have a locally cached profile on the device.

$LocalAccount = Get-WmiObject -Query "Select Name, LocalAccount FROM WIN32_UserAccount WHERE LocalAccount=true"

2 Stars

3 Stars

4 Stars

5 Stars

(No Ratings Yet)

Loading...

Sing Pang Looks to be few yeards old post, but BitTitan can migrate more than just 3 latest versions. Just adjust the settings. Still useful way to compare two libraries
How to compare two document libraries from different Office 365 Tenancies \ SharePoint Sites · April 7, 2025
KaiUno Thanks man! Reverting back to 16.0.18227.20162 did the trick for my 2016 environment.
Office 365 crashes on Server 16 Terminal Server – Faulting module path: C:\windows\System32\KERNELBASE.dll · January 14, 2025
PD2JK Tnx! Works here in our environment and rolling back to 16.0.18129.20200 worked like a charm! Kind regards from the Netherlands.
Office 365 crashes on Server 16 Terminal Server – Faulting module path: C:\windows\System32\KERNELBASE.dll · January 13, 2025
Andrea Rochira Well, this solution still works in 2023 and better than PowerShell! Thank you.
Copy file to workstations with Windows Intune · September 19, 2023
Emre Temel Thank you for this information. You save my life. 🙂
Exchange Setup – A required audit event could not be generated for the operation · September 18, 2023

Powered by WordPress | Made with ❤ by Themely