Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Microsoft Experts Launch Anti-Recon Tool for Windows 10, Server 2016

Itai Grady and Tal Be’ery of the Microsoft Advanced Threat Analytics (ATA) research team have released a new tool designed to help security teams harden the Windows 10 and Windows Server 2016 machines on their network against reconnaissance attempts.

Itai Grady and Tal Be’ery of the Microsoft Advanced Threat Analytics (ATA) research team have released a new tool designed to help security teams harden the Windows 10 and Windows Server 2016 machines on their network against reconnaissance attempts.

Dubbed “SAMRi10” (pronounced Samaritan), the tool is a simple PowerShell script that changes the default Security Account Manager (SAM) access permissions on Windows 10 and Windows Server 2016 in an effort to prevent attackers from collecting potentially valuable recon information.

When attackers breach a single endpoint in an organization’s network, they need to identify other machines they can move to, preferably the ones of privileged users. Penetration testing tools such as PowerSploit and BloodHound are often used for this task.

Attackers can obtain information on domain and local users remotely via the Security Account Manager Remote Protocol (SAMR). Local credentials, particularly ones belonging to administrators, can be more valuable to attackers as they are less managed (i.e. passwords are not complex and there is no change policy) and less monitored.

In versions prior to Windows 10, any domain user can query local users via the SAMR protocol. This is a default setting and it cannot be changed. In Windows 10, any domain user can query local users by default, but the configuration can be changed by making modifications to a specific registry entry.

In Windows 10 Anniversary Update, remote SAM access is limited to local administrators, and the setting can be changed via both the registry and Group Policy settings.

The SAMRi10 tool aims to harden remote SAM access on Windows Server 2016 and Windows 10 by giving access only to “Administrators” and a newly created group named “Remote SAM Users.” Users who need SAM access can be added to this special group via the native net localgroup command or the Computer Management (compmgmt.msc) tool.

Each device can be hardened by executing the SAMRi10.ps1 file on it. The changes can be reverted by executing the script with the .SAMRi10.ps1 -Revert option.

Advertisement. Scroll to continue reading.

“A Windows 10 machine, hardened by the SAMRi10 tool, will respond to a remote SAM access, based upon the requesting user account type, similar to a hardened 2016 domain controller,” Grady and Be’ery explained.

“Remote execution of PowerSploit’s Get-NetLocalGroup method against a SAMRi10 hardened computer, using an unprivileged user will result with an ‘Access is denied’ error,” the researchers said. “Executing the same method, with an administrative account or a member of the local ‘Remote SAM Users’ on the remote machine, will be completed successfully.”

The tool can be efficient as long as the credentials of “Remote SAM Users” group members are not compromised, the experts told SecurityWeek.

This is not the only anti-reconnaissance tool released by Grady and Be’ery. In October, they launched NetCease, a PowerShell script that changes NetSessionEnum function permissions in order to make it more difficult for attackers to obtain information that would allow them to move laterally within a network.

Related: UK’s GCHQ Spy Agency Launches Open Source Data Analysis Tool

Related: Facebook’s “Osquery” Security Tool Available for Windows

Related: Mozilla Launches Website Security Testing Tool

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.