Connect with us

Hi, what are you looking for?


Network Security

Microsoft Experts Launch Anti-Recon Tool for Windows 10, Server 2016

Itai Grady and Tal Be’ery of the Microsoft Advanced Threat Analytics (ATA) research team have released a new tool designed to help security teams harden the Windows 10 and Windows Server 2016 machines on their network against reconnaissance attempts.

Itai Grady and Tal Be’ery of the Microsoft Advanced Threat Analytics (ATA) research team have released a new tool designed to help security teams harden the Windows 10 and Windows Server 2016 machines on their network against reconnaissance attempts.

Dubbed “SAMRi10” (pronounced Samaritan), the tool is a simple PowerShell script that changes the default Security Account Manager (SAM) access permissions on Windows 10 and Windows Server 2016 in an effort to prevent attackers from collecting potentially valuable recon information.

When attackers breach a single endpoint in an organization’s network, they need to identify other machines they can move to, preferably the ones of privileged users. Penetration testing tools such as PowerSploit and BloodHound are often used for this task.

Attackers can obtain information on domain and local users remotely via the Security Account Manager Remote Protocol (SAMR). Local credentials, particularly ones belonging to administrators, can be more valuable to attackers as they are less managed (i.e. passwords are not complex and there is no change policy) and less monitored.

In versions prior to Windows 10, any domain user can query local users via the SAMR protocol. This is a default setting and it cannot be changed. In Windows 10, any domain user can query local users by default, but the configuration can be changed by making modifications to a specific registry entry.

In Windows 10 Anniversary Update, remote SAM access is limited to local administrators, and the setting can be changed via both the registry and Group Policy settings.

The SAMRi10 tool aims to harden remote SAM access on Windows Server 2016 and Windows 10 by giving access only to “Administrators” and a newly created group named “Remote SAM Users.” Users who need SAM access can be added to this special group via the native net localgroup command or the Computer Management (compmgmt.msc) tool.

Advertisement. Scroll to continue reading.

Each device can be hardened by executing the SAMRi10.ps1 file on it. The changes can be reverted by executing the script with the .SAMRi10.ps1 -Revert option.

“A Windows 10 machine, hardened by the SAMRi10 tool, will respond to a remote SAM access, based upon the requesting user account type, similar to a hardened 2016 domain controller,” Grady and Be’ery explained.

“Remote execution of PowerSploit’s Get-NetLocalGroup method against a SAMRi10 hardened computer, using an unprivileged user will result with an ‘Access is denied’ error,” the researchers said. “Executing the same method, with an administrative account or a member of the local ‘Remote SAM Users’ on the remote machine, will be completed successfully.”

The tool can be efficient as long as the credentials of “Remote SAM Users” group members are not compromised, the experts told SecurityWeek.

This is not the only anti-reconnaissance tool released by Grady and Be’ery. In October, they launched NetCease, a PowerShell script that changes NetSessionEnum function permissions in order to make it more difficult for attackers to obtain information that would allow them to move laterally within a network.

Related: UK’s GCHQ Spy Agency Launches Open Source Data Analysis Tool

Related: Facebook’s “Osquery” Security Tool Available for Windows

Related: Mozilla Launches Website Security Testing Tool

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...