The following sequence of methods and parameters enumerates all groups on a domain controller "secdc02" in a domain name of "piesec". Here is the command used to trigger this flow: net group /domain.
Note that the field Status refers to the ReturnValue on a network trace.
1. ➡️ Send SamrConnect5
Details SamrConnect5.
| Parameter field | Parameter value |
|---|---|
| ServerName | \\SECDC02.piesec.ca |
| DesiredAccess | 0x301 |
| InVersion | 1 |
| InRevisionInfo | SAMPR_REVISION_INFO_V1 structure |
DesiredAccess mask corresponds to SpecificRights:SamServerEnumerateDomains.
2. ⬅️ Receive SamrConnect5
| Parameter field | Parameter value |
|---|---|
| OutVersion | 1 |
| OutRevisionInfo | 3 |
| ServerHandle | [implementation-specific value] serverHandle |
| Status | 0 |
3. ➡️ Send SamrEnumerateDomainsInSamServer
Details SamrEnumerateDomainsInSamServer.
| Parameter field | Parameter value |
|---|---|
| ServerHandle | serverHandle |
| EnumerationContext | 0x0 |
| PreferedMaximumLength | 0x2000 |
4. ⬅️ Receive SamrEnumerateDomainsInSamServer
| Parameter field | Parameter value |
|---|---|
| EnumerationContext | 4 |
| Buffer | SAMPR_ENUMERATION_BUFFER structure |
| CountReturned | 2 |
| Status | 0 |
5. ➡️ Send SamrLookupDomainInSamServer
Details SamrLookupDomainInSamServer.
| Parameter field | Parameter value |
|---|---|
| ServerHandle | serverHandle |
| Name | piesec |
6. ⬅️ Receive SamrLookupDomainInSamServer
| Parameter field | Parameter value |
|---|---|
| DomainId | [implementation-specific SID]. For example: S-1-5-21-776355648-152374955-3729610662 |
| Status | 0 |
7. ➡️ Send SamrOpenDomain
Details SamrOpenDomain.
| Parameter field | Parameter value |
|---|---|
| ServerHandle | serverHandle |
| DesiredAccess | 0x304 |
| DomainId | S-1-5-21-776355648-152374955-3729610662 |
DesiredAccess mask corresponds to SpecificRights: DomainReadOther, SpecificRights: DomainListAccounts and SpecificRights: DomainLookup.
8. ⬅️ Receive SamrOpenDomain
| Parameter field | Parameter value |
|---|---|
| DomainHandle | [implementation-specific value] domainHandle |
| Status | 0 |
The Buffer structure contains a sub structure SamprEnumerationBuffer listing the name of the domain as well as the container where the group will be created.
9. ➡️ Send SamrQueryInformationDomain
Details SamrQueryInformationDomain.
| Parameter field | Parameter value |
|---|---|
| DomainHandle | domainHandle |
| DomainInformationClass | DomainInformationClass enumeration: 0x2 |
DomainInformationClass mask is DomainGeneralInformation.
10. ⬅️ Receive SamrQueryInformationDomain
| Parameter field | Parameter value |
|---|---|
| Buffer | SAMPR_DOMAIN_INFO_BUFFER structure |
| Status | 0 |
The Buffer structure contains a sub structure SamprEnumerationBuffer listing the name of the domain as well as the container where the group will be created.
11. ➡️ Send SamrQueryDisplayInformation2
Details SamrQueryDisplayInformation2.
| Parameter field | Parameter value |
|---|---|
| DomainHandle | domainHandle |
| DomainInformationClass | 0x0002 |
DomainInformationClass 0x2 is DomainGeneralInformation.
12. ⬅️ Receive SamrQueryDisplayInformation2
| Parameter field | Parameter value |
|---|---|
| TotalAvailable | 0x0 |
| TotalReturned | 0x200 |
| Buffer | PSAMPR_DISPLAY_INFO_BUFFER strucutre |
The Buffer wtructure contains a sub structure GroupInformation listing all groups matching the request.
13. ➡️ Send SamrCloseHandle
Details SamrCloseHandle.
| Parameter field | Parameter value |
|---|---|
| SamHandle | samHandle |
14. ⬅️ Receive SamrCloseHandle
| Parameter field | Parameter value |
|---|---|
| SamHandle | {00000000-00000000-0000-0000-0000-000000000000} |
| Status | 0 |