MS-RPC: SAMR Access Request
This signature detects attempts to connect to the Security Account Manager Remote (SAMR) service on Windows. Attackers can be probing your server for vulnerabilities, as a successful login to this service provides important information such as administrator account details, default domain names, open users, and active groups. However, because system administrators also use the SAMR service legitimately, this signature can also detect non-malicious activity.
Extended Description
Attackers may exploit the SAMR service to obtain sensitive information stored in the SAM database of a target Windows system. Once obtaining this sensitive information, attackers may be able to fully compromise the affected system.
References
URL: http://support.microsoft.com/default.aspx?scid=kb;en-us;286179
Short Name
MS-RPC:SAMR-ACCESS-REQUEST
Severity
Warning
Recommended
False
Recommended Action
None
Category
MS-RPC
Keywords
Access Request SAMR
Release Date
09/30/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown