Archive for April, 2018


Querying the Windows Security Account Manager (SAM) remotely via the SAM-Remote (SAMR) protocol against their victim’s domain machines, allows the attackers to get all domain and local users with their group membership and map possible routes within the victim’s network. Recently, some frameworks (e.g. BloodHound) have automated that mapping process.

By default, the SAM can be accessed remotely (via SAMR) by any authenticated user, including network connected users, which effectively means that any domain user is able to access it. Windows 10 had introduced an option to control the remote access to the SAM, through a specific registry value. On Windows Anniversary update (Windows 10 Version 1607) the default permissions were changed to allow remote access only to administrators. An accompanying Group Policy setting was added, which gives a user-friendly interface to alter these default permissions.

SAMR: Remote Querying of SAM

The Security Account Manager Remote Protocol (SAMR) exposes the security accounts manager database for a remote authenticated domain user. It does so for both local and domain accounts. There are five objects that are exposed by the protocol; server, domain, group, alias and user. All these objects can be updated and read, and some (user, group and alias) can also be created and deleted.

Flow and Usage

The basic flow of using the SAMR protocol is as such:

  1. Connect to a server (the remote machine).
  2. Enumerate/lookup the server for domains.
  3. Open the domain of interest.
  4. Lookup a user or alias/group in the domain.
  5. Open the user/alias of interest.
  6. Query the user/alias of interest.

There are a few tools that utilize these API calls, such as Net User/Group, PowerSploit’s Get-NetLocalGroup and Imapcket’s SAMRdump. Net User and Net Group are Windows built-in command line tools. With these tools an authenticated user can add or modify and display information on users or groups respectively on the local machine or its domain controller. The Get-NetLocalGroup queries a remote machine for its local groups (including the “Administrators” and “Users” groups). SAMRdump, queries the target machine for its local users (using the EnumDomainUsers on the target machine). MicrosoftATA detects the use of such query and alerts the security administrator about it.

Hardening SAM Remote access:





GPO – backup all

To backup all GPOs: Backup-Gpo -All -Path \\myserver\gpobackup

 Understanding the precedence of Retention policy with Security&Compliance center and the other O365 applications:

Video: how to create label and publish it:

A retention policy in Office 365 can help you achieve all of these goals. Managing content commonly requires two actions:

  • Retaining content so that it can’t be permanently deleted before the end of the retention period.
  • Deleting content permanently at the end of the retention period.

To understand how different retention policies are applied to content, keep these principles of retention in mind:

  1. Retention wins over deletion. Suppose that one retention policy says to delete Exchange email after three years, but another retention policy says to retain Exchange email for five years and then delete it. Any content that reaches three years old will be deleted and hidden from the users’ view, but still retained in the Recoverable Items folder until the content reaches five years old, when it will be permanently deleted.
  2. The longest retention period wins. If content’s subject to multiple policies that retain content, it will be retained until the end of the longest retention period.
  3. Explicit inclusion wins over implicit inclusion. This means:
    1. If a label with retention settings is manually assigned by a user to an item, such as an Exchange email or OneDrive document, that label takes precedence over both a policy assigned at the site or mailbox level and a default label assigned by the document library. For example, if the explicit label says to retain for ten years, but the policy assigned to the site says to retain for only five years, the label takes precedence. Note that auto-apply labels are considered implicit, not explicit, because they’re applied automatically by Office 365.
    2. If a retention policy includes a specific location, such as a specific user’s mailbox or OneDrive for Business account, that policy takes precedence over another retention policy that applies to all users’ mailboxes or OneDrive for Business accounts but doesn’t specifically include that user’s mailbox.
  4. The shortest deletion period wins. Similarly, if content’s subject to multiple policies that delete content (with no retention), it will be deleted at the end of the shortest retention period.

Understand that the principles of retention work as a tie-breaking flow from top to bottom: If the rules applied by all policies or labels are the same at one level, the flow moves down to the next level to determine precedence for which rule is applied.

Office 365 groups retention and expiration:

retention policy define with Security&Compliance wins

After expiration (inactivity days), the o365 group will be soft deleted and can be recovered in the next 30 days, except if a retention policy is greater. The owner(s) will be informed 30 days,15 days,1 day before group expiration.


Onedrive data deletion and retention:

by default 30 days

Max 93 days for SPO:


Retention for EXO:



Restore a deleted O365 group:

Archive or restore a team:






In the context of Exchange Hybrid and distribution groups:

Configure Office 365 Groups with on-premises Exchange Hybrid:


There is no way by default; only after O365 groups creation using this powershell script:

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

#Get all Office 365 Groups that have have the Welcome Message enabled

$O365Groups = Get-UnifiedGroup | Where-Object{$_.WelcomeMessageEnabled -eq $true}

#Iterate through the Groups, disabling the Welcome Message

foreach ($group in $O365Groups) {

Write-Host “Disabling Welcome Message on O365 Group: ” -NoNewline;

Write-Host $group.DisplayName -ForegroundColor Cyan

Set-UnifiedGroup $group.Identity -UnifiedGroupWelcomeMessageEnabled:$false


#Close the Session

Remove-PSSession $Session

How to connect to Office 365 services with PowerShell:


write-host “Enter the O365 domain” -foreground blue

$domainHost=”<domain host name, such as litware for>”

$credential = Get-Credential

write-host “Load MS online…” -foreground green

Import-Module MsOnline

Connect-MsolService -Credential $credential

write-host “Load SPO…” -foreground yellow

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking

Connect-SPOService -Url https://$ -credential $credential

write-host “Load SfB…” -foreground yellow

Import-Module SkypeOnlineConnector

$sfboSession = New-CsOnlineSession -Credential $credential

Import-PSSession $sfboSession

write-host “Load EXO…” -foreground yellow

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri “; -Credential $credential -Authentication “Basic” -AllowRedirection

Import-PSSession $exchangeSession

write-host “Load SCC…” -foreground yellow

$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $SccSession


MS Graph API

Resources for MS graph API:

Graph explorer:


NTLM is still used in the following situations:

The client is authenticating to a server using an IP address

The client is authenticating to a server that belongs to a different Active Directory forest that has a legacy NTLM trust instead of a transitive inter-forest trust

The client is authenticating to a server that doesn’t belong to a domain

No Active Directory domain exists (commonly referred to as “workgroup” or “peer-to-peer”)

Where a firewall would otherwise restrict the ports required by Kerberos (typically TCP 88)


A colleague of mine found this interesting articles:



GPO Basics:

1) Structure of a GPO:

Group Policy Container (GPC) which exists in Active Directory

and the Group Policy Template (GPT) where the actual content of your GPOs resides.

A third component, known as Client-Side Extensions (CSEs) can be found on client devices and are necessary for them to properly process the Group Policies assigned to them.


2) GPO processing (LSDOU):


3) GPO troubleshooting:


GPO management with PowerShell:

Powershell – how to translate a GPO GUID to Name?

Get-GPO -GUID “{AD7E3746-7135-496B-A1F5-B5B11871F96F}”

Powershell – how list all GPOs?

Get-GPO -all

Get-GPo -all | ft -autosize

Get-GPO -all | out-gridview

Powershell – how many GPOs?

(get-gpo -all).count

Powershell – how to translate a GPO Name to GUID?

PS Z:\ADGPO management> Get-GPO -all | where {$ -like “bd9df1be-3663-4cb4-bb71-35f7e27c691f”} | select id,displayname | ft -autosize

Id                                   DisplayName
—                                   ———–
bd9df1be-3663-4cb4-bb71-35f7e27c691f Corporate-A-All-Settings-Restore


Powershell – create and link a GPO?


PS C:\> Get-GPStarterGPO -Name “Laptops”
Next, you can use the New-GPO cmdlet to create the new GPO from your Starter GPO as follows:

PS C:\> New-GPO -Name “France-Laptops” -StarterGpoName “Laptop”

Finally, you can link the new GPO to the targeted OU as follows:

PS C:\> New-GPLink -Name “France-Laptops” -Target “ou=computers,ou=France,dc=hq,dc=mydomain,dc=com”

Alternatively, by using the Windows PowerShell pipeline feature, you can create and link the GPO using a single command.

How to display Room mailbox settings with PowerShell: