What is Internal Reconnaissance?
Internal Reconnaissance is one of the first steps an attacker will take once they have compromised a user or computer on the internal network. This usually involves using tools or scripts to enumerate and collect information to help them identify where they should try and compromise next on the internal network to get what they need. An example of a tool that is commonly used for internal reconnaissance is BloodHound which can map out paths for an attacker.
Almost all common enumeration methods used can be executed by an unprivileged user.
Types of Reconnaissance
There are multiple types of reconnaissance that attackers can do to find information about the network they have penetrated. These types of information include but are not limited to:
- Session Enumeration (which finds out who is logged on where)
- User Enumeration (List all users in domain ideally with membership)
- Group Enumeration (List all groups in domain ideally with membership)
- Active Directory ACL Enumeration
- Local Group Membership Enumeration
There are multiple protocols that can be utilised for reconnaissance to get this information which makes it extremely hard to block and detect for blue teams. In this post I will go over how to use NetCease, a tool which Microsoft has released, to block session enumeration for unprivileged users and then SAMRi10, a script which Microsoft has released to help block queries to the Remote SAM (MS-SAMR Protocol)
What is Session Enumeration?
Session Enumeration is one of the reconnaissance methods that an attacker will use after compromising a system on an internal network. It is a way for an attacker to detect where users and service accounts are logged in which can then be used in line with other reconnaissance methods to prioritise which hosts to attempt to compromise first. For Example: hosts with administrators logged in.
Note: Default permissions in Windows 10 have been changed to stop attackers doing this, however, it is still worth checking.
Enter Net Cease
Net Cease is a short PowerShell script that Itai Grady and Tal Be’ery from Microsoft released in 2016. This PowerShell script is used to change the Registry Key which controls the NetSessionEnum method permissions. The reason why this is completed by script and not just manual instructions is because it is only editable in a reg binary value.
The default value of the SrvsvcSessionInfo registry key is the Access Control List which allows the use of the NetSessionEnum method. This is assigned to the following:
- Member of Administrators
- Member of Server Operators
- Member of Power Users
- Authenticated Users
The Authenticated Users Permission is what makes this insecure and easy for attackers to perform reconnaissance. What the Net Cease Script does is to back up the current registry value and then amend the permissions, so the following ACE’s are in the ACL:
- Server Operators
Now if you want to view the security descriptor for yourself then you can use the following PowerShell snippet which will show you the ACL. There is also a script on the TechNet Gallery called NetSessEnumPerm.ps1 which can output a bit nicer than the below.
#Registry Key Information $key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity" $name = "SrvsvcSessionInfo" #Get the Registry Key and Value $Reg_Key = Get-Item -Path $key $BtyeValue = $reg_Key.GetValue($name, $null) #Create a CommonSecurityDescriptor Object using the Byte Value $Security_Descriptor = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $true, $false, $ByteValue, 0 #Output of the ACL to make it simple to see for document. Use only $Security_Descriptor.DiscretionaryAcl if you want to see the full ACL! $Security_Descriptor.DiscretionaryAcl | Select-Object SecurityIdentifier, ACEType | Format-Table -AutoSize
Before Running Net Cease
After Running Net Cease
Note: Information on Well-Known SID’s can be found here
Testing Session Enumeration
An easy way to test session enumeration is to use the NetSess tool from Joeware.net but there are plenty of options for tools that utilise this including SharpHound collector. Make sure when doing that you are using a user account that is not a member of Administrators, Server Operators or Power Users.
Before Using Net Cease
After Using Net Cease (Using an unprivileged account)
After Using Net Cease with a Privileged User Account
Enumeration using Remote SAM (SAMR)
Attackers can perform reconnaissance using the SAMR Protocol which can remotely query devices but can also query Active Directory. Using this method of reconnaissance, an attacker can find highly privileged groups and users, as well as local users and groups for every system on the network without any administrative privileges. Tools such as BloodHound can then automatically map this information into attack paths to compromise Active Directory.
Protecting against Remote SAM Reconnaissance
Microsoft Introduced protections for querying the Remote SAM with Windows 10 and in 2017 introduced updates for previous operating systems down to Windows 7 and Server 2008 R2 using the RestrictRemoteSAM registry key, which is a string (REG_SZ) that will contain the SDDL of the security descriptor that protects Remote SAM calls.
In the anniversary edition of Windows 10 (1607) and Windows Server 2016 and later the default SDDL has been changed to only allow local administrators to query the Remote SAM.
Below is a table breaking down the requirements, default behaviour and protection options for all operating systems.
|OS||KB Required||Who can query (Default)||Remote SAM Protection Options|
|Prior to Windows 7 and Server 2008 R2||N/A||Any domain user||None|
|Windows 7||KB 4012218||Any domain user||Registry Key or Group Policy|
|Windows Server 2008 R2||KB 4012218||Any domain user||Registry Key or Group Policy|
|Windows 8.1||KB 4102219||Any domain user||Registry Key or Group Policy|
|Windows Server 2012||KB 4012220||Any domain user||Registry Key or Group Policy|
|Windows Server 2012 R2||KB 4012219||Any domain user||Registry Key or Group Policy|
|Windows 10 1507||KB 4012606||Any domain user||Registry Key or Group Policy|
|Windows 10 1511||KB 4103198||Any domain user||Registry Key or Group Policy|
|Windows 10 1607 and later||N/A||Local Administrators||Registry Key or Group Policy|
|Windows Server 2016 and later||N/A||Local Administrators||Registry Key or Group Policy|
Applying protections for Remote SAM queries
There are two ways in which Microsoft natively lets administrators set this option which is through Registry or through Group Policy. There is also a 3rd lesser-known method that a Microsoft Researcher came out called SAMRi10 (Samaritan) which helps companies who require needing granular access that is easily editable.
The RestrictRemoteSAM registry key is available for administrators to update as they wish with the SDDL. Below is the information on where the key is located and the default value that Windows 10 sets which is SYSTEM for Ownership and Primary Group and read_control access for Built-in Administrators.
Breaking down the SDDL
Checking the SDDL to ensure it is correct before applying
To check that the SDDL is correct before applying the change you can use the ConvertFrom-SDDLString command in PowerShell to convert it to a security descriptor that is easier to read.
Group Policy / Local Security policy
The Group Policy and Local Security Policy settings allow administrators to set this easily. This can work well for administrators who wish to set the same value across every system or multiple groups of systems (e.g. Allowing Remote SAM Connections for all servers in a specific OU or set of application servers).
The details about the setting are as follows:
|Policy Name||Network access: Restrict clients allowed to make remote calls to SAM|
|Location||Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
|Possible Values|| – Not defined|
– Defined, along with the security descriptor for users and groups who are allowed or denied to use SAMRPC to remotely access either the local SAM or Active Directory.
SAMRi10 is a PowerShell script that Itai Grady released initially to help secure Remote SAM before it was introduced properly by Microsoft. However, whilst it may sound like its no longer needed it does offer a key benefit which Microsoft’s default does not which is it creates a new local group and delegates access for the group to be able to perform the Remote SAM calls making it possible for administrators to control this fully in Group Policy Preferences or just manually granting accounts when required.
The SAMRi10 script does the following:
- Creates a local group called “Remote SAM Users”
- Amend the SDDL to include the newly created group
- If no default SDDL then grant access to Built-in Administrators
- If an SDDL has been previously created, then amend it to include the new ACE for the Remote SAM Users group.
Benefits of using SAMRi10
- Easy to grant granular access for Remote SAM access
- Helps in organizations that are wanting to do least privileged access
- Can be used in conjunction with a local group membership group policy to grant users access centrally using Item level targeting
- Can be utilised by a Privileged Access Management System to easily grant dynamic (Just-In-Time) access if an account / process requires this specific permission.
Reconnaissance with STEALTHbits
StealthINTERCEPT and STEALTHbits Activity Monitor can monitor LDAP queries and then pass them to StealthDEFEND which can detect multiple reconnaissance scenarios and queries out of the box including but not limited to BloodHound, queries for all SPN’s and queries for all accounts with password never expires.
StealthAUDIT’s attack path analyser can provide admins with insight into their Active Directory ACL’s which attackers may look for so they can plug any gaps before they happen.
Joe is a Security Researcher at STEALTHbits Technologies. An expert in Active Directory, Windows, and a wide variety of enterprise software platforms and technologies, Joe researches new security risks, complex attack techniques, and associated mitigations and detections.