Itai Grady and Tal Be’ery of the Microsoft Advanced Threat Analytics (ATA) research team have released a new tool designed to help security teams harden the Windows 10 and Windows Server 2016 machines on their network against reconnaissance attempts.
Dubbed “SAMRi10” (pronounced Samaritan), the tool is a simple PowerShell script that changes the default Security Account Manager (SAM) access permissions on Windows 10 and Windows Server 2016 in an effort to prevent attackers from collecting potentially valuable recon information.
When attackers breach a single endpoint in an organization’s network, they need to identify other machines they can move to, preferably the ones of privileged users. Penetration testing tools such as PowerSploit and BloodHound are often used for this task.
Attackers can obtain information on domain and local users remotely via the Security Account Manager Remote Protocol (SAMR). Local credentials, particularly ones belonging to administrators, can be more valuable to attackers as they are less managed (i.e. passwords are not complex and there is no change policy) and less monitored.
In versions prior to Windows 10, any domain user can query local users via the SAMR protocol. This is a default setting and it cannot be changed. In Windows 10, any domain user can query local users by default, but the configuration can be changed by making modifications to a specific registry entry.
In Windows 10 Anniversary Update, remote SAM access is limited to local administrators, and the setting can be changed via both the registry and Group Policy settings.
The SAMRi10 tool aims to harden remote SAM access on Windows Server 2016 and Windows 10 by giving access only to “Administrators” and a newly created group named “Remote SAM Users.” Users who need SAM access can be added to this special group via the native net localgroup command or the Computer Management (compmgmt.msc) tool.
Each device can be hardened by executing the SAMRi10.ps1 file on it. The changes can be reverted by executing the script with the .SAMRi10.ps1 -Revert option.
“A Windows 10 machine, hardened by the SAMRi10 tool, will respond to a remote SAM access, based upon the requesting user account type, similar to a hardened 2016 domain controller,” Grady and Be’ery explained.
“Remote execution of PowerSploit’s Get-NetLocalGroup method against a SAMRi10 hardened computer, using an unprivileged user will result with an ‘Access is denied’ error,” the researchers said. “Executing the same method, with an administrative account or a member of the local ‘Remote SAM Users’ on the remote machine, will be completed successfully.”
The tool can be efficient as long as the credentials of “Remote SAM Users” group members are not compromised, the experts told SecurityWeek.
This is not the only anti-reconnaissance tool released by Grady and Be’ery. In October, they launched NetCease, a PowerShell script that changes NetSessionEnum function permissions in order to make it more difficult for attackers to obtain information that would allow them to move laterally within a network.
Related: UK’s GCHQ Spy Agency Launches Open Source Data Analysis Tool
Related: Facebook’s “Osquery” Security Tool Available for Windows