Windows Server 2016 security auditing for enhanced threat detection
“Detecting malicious reconnaissance attempts to access SAM
The Security Account Manager (SAM) is a database file, which stores users’ passwords. A common attack is to access SAM remotely to enumerate user groups, such as finding all the users in the local admin group on a server. On Windows Server 2016, when an attacker with insufficient privilege runs a query on the network to identify highly privileged accounts, you will see the following events on the server:”