Windows Server 2016 security auditing for enhanced threat detection

Windows Server 2016 security auditing for enhanced threat detection

“Detecting malicious reconnaissance attempts to access SAM
The Security Account Manager (SAM) is a database file, which stores users’ passwords. A common attack is to access SAM remotely to enumerate user groups, such as finding all the users in the local admin group on a server. On Windows Server 2016, when an attacker with insufficient privilege runs a query on the network to identify highly privileged accounts, you will see the following events on the server:”