What is Internal Reconnaissance?

Internal Reconnaissance is one of the first steps an attacker will take once they have compromised a user or computer on the internal network. This usually involves using tools or scripts to enumerate and collect information to help them identify where they should try and compromise next on the internal network to get what they need. An example of a tool that is commonly used for internal reconnaissance is BloodHound which can map out paths for an attacker.

Almost all common enumeration methods used can be executed by an unprivileged user.

Types of Reconnaissance

There are multiple types of reconnaissance that attackers can do to find information about the network they have penetrated. These types of information include but are not limited to:

• Session Enumeration (which finds out who is logged on where)
• User Enumeration (List all users in domain ideally with membership)
• Group Enumeration (List all groups in domain ideally with membership)
• Active Directory ACL Enumeration
• Local Group Membership Enumeration

There are multiple protocols that can be utilised for reconnaissance to get this information which makes it extremely hard to block and detect for blue teams. In this post I will go over how to use NetCease, a tool which Microsoft has released, to block session enumeration for unprivileged users and then SAMRi10, a script which Microsoft has released to help block queries to the Remote SAM (MS-SAMR Protocol)

What is Session Enumeration?

Session Enumeration is one of the reconnaissance methods that an attacker will use after compromising a system on an internal network. It is a way for an attacker to detect where users and service accounts are logged in which can then be used in line with other reconnaissance methods to prioritise which hosts to attempt to compromise first. For Example: hosts with administrators logged in.

Note: Default permissions in Windows 10 have been changed to stop attackers doing this, however, it is still worth checking.

Enter Net Cease

Net Cease is a short PowerShell script that Itai Grady and Tal Be’ery from Microsoft released in 2016. This PowerShell script is used to change the Registry Key which controls the NetSessionEnum method permissions. The reason why this is completed by script and not just manual instructions is because it is only editable in a reg binary value.

Path:        HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/LanmanServer/DefaultSecurity

Name:  SrvsvcSessionInfo

The default value of the SrvsvcSessionInfo registry key is the Access Control List which allows the use of the NetSessionEnum method. This is assigned to the following:

• Member of Administrators
• Member of Server Operators
• Member of Power Users
• Authenticated Users

The Authenticated Users Permission is what makes this insecure and easy for attackers to perform reconnaissance. What the Net Cease Script does is to back up the current registry value and then amend the permissions, so the following ACE’s are in the ACL:

• InteractiveSid
• ServiceSid
• BatchSid
• Administrators
• Server Operators
• PowerUsers

Now if you want to view the security descriptor for yourself then you can use the following PowerShell snippet which will show you the ACL. There is also a script on the TechNet Gallery called NetSessEnumPerm.ps1 which can output a bit nicer than the below.

#Registry Key Information
$key = "HKLM:SYSTEMCurrentControlSetServicesLanmanServerDefaultSecurity"
$name = "SrvsvcSessionInfo"

#Get the Registry Key and Value
$Reg_Key = Get-Item -Path $key
$BtyeValue = $reg_Key.GetValue($name, $null)

#Create a CommonSecurityDescriptor Object using the Byte Value
$Security_Descriptor = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $true, $false, $ByteValue, 0

#Output of the ACL to make it simple to see for document. Use only $Security_Descriptor.DiscretionaryAcl if you want to see the full ACL!
$Security_Descriptor.DiscretionaryAcl | Select-Object SecurityIdentifier, ACEType | Format-Table -AutoSize

Before Running Net Cease

After Running Net Cease

Note: Information on Well-Known SID’s can be found here

Testing Session Enumeration

An easy way to test session enumeration is to use the NetSess tool from Joeware.net but there are plenty of options for tools that utilise this including SharpHound collector. Make sure when doing that you are using a user account that is not a member of Administrators, Server Operators or Power Users.

Before Using Net Cease

Netsess.exe [Computer]

After Using Net Cease (Using an unprivileged account)

Netsess.exe [Computer]

After Using Net Cease with a Privileged User Account

Netsess.exe [Computer]

Enumeration using Remote SAM (SAMR)

Attackers can perform reconnaissance using the SAMR Protocol which can remotely query devices but can also query Active Directory. Using this method of reconnaissance, an attacker can find highly privileged groups and users, as well as local users and groups for every system on the network without any administrative privileges. Tools such as BloodHound can then automatically map this information into attack paths to compromise Active Directory.

Protecting against Remote SAM Reconnaissance

Microsoft Introduced protections for querying the Remote SAM with Windows 10 and in 2017 introduced updates for previous operating systems down to Windows 7 and Server 2008 R2 using the RestrictRemoteSAM registry key, which is a string (REG_SZ) that will contain the SDDL of the security descriptor that protects Remote SAM calls.

In the anniversary edition of Windows 10 (1607) and Windows Server 2016 and later the default SDDL has been changed to only allow local administrators to query the Remote SAM.

Below is a table breaking down the requirements, default behaviour and protection options for all operating systems.

OS	KB Required	Who can query (Default)	Remote SAM Protection Options
Prior to Windows 7 and Server 2008 R2	N/A	Any domain user	None
Windows 7	KB 4012218	Any domain user	Registry Key or Group Policy
Windows Server 2008 R2	KB 4012218	Any domain user	Registry Key or Group Policy
Windows 8.1	KB 4102219	Any domain user	Registry Key or Group Policy
Windows Server 2012	KB 4012220	Any domain user	Registry Key or Group Policy
Windows Server 2012 R2	KB 4012219	Any domain user	Registry Key or Group Policy
Windows 10 1507	KB 4012606	Any domain user	Registry Key or Group Policy
Windows 10 1511	KB 4103198	Any domain user	Registry Key or Group Policy
Windows 10 1607 and later	N/A	Local Administrators	Registry Key or Group Policy
Windows Server 2016 and later	N/A	Local Administrators	Registry Key or Group Policy

Applying protections for Remote SAM queries

There are two ways in which Microsoft natively lets administrators set this option which is through Registry or through Group Policy. There is also a 3^rd lesser-known method that a Microsoft Researcher came out called SAMRi10 (Samaritan) which helps companies who require needing granular access that is easily editable.

Registry

The RestrictRemoteSAM registry key is available for administrators to update as they wish with the SDDL. Below is the information on where the key is located and the default value that Windows 10 sets which is SYSTEM for Ownership and Primary Group and read_control access for Built-in Administrators.

Path:     HKLM/System/CurrentControlSet/Control/Lsa

Name: RestrictRemoteSAM

Value:   O:SYG:SYD:(A;;RC;;;BA)

Breaking down the SDDL

Checking the SDDL to ensure it is correct before applying

To check that the SDDL is correct before applying the change you can use the ConvertFrom-SDDLString command in PowerShell to convert it to a security descriptor that is easier to read.

Group Policy / Local Security policy

The Group Policy and Local Security Policy settings allow administrators to set this easily. This can work well for administrators who wish to set the same value across every system or multiple groups of systems (e.g. Allowing Remote SAM Connections for all servers in a specific OU or set of application servers).

The details about the setting are as follows:

Policy Name	Network access: Restrict clients allowed to make remote calls to SAM
Location	Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options
Possible Values	– Not defined – Defined, along with the security descriptor for users and groups who are allowed or denied to use SAMRPC to remotely access either the local SAM or Active Directory.

SAMRi10 (Samaritan)

SAMRi10 is a PowerShell script that Itai Grady released initially to help secure Remote SAM before it was introduced properly by Microsoft. However, whilst it may sound like its no longer needed it does offer a key benefit which Microsoft’s default does not which is it creates a new local group and delegates access for the group to be able to perform the Remote SAM calls making it possible for administrators to control this fully in Group Policy Preferences or just manually granting accounts when required.

The SAMRi10 script does the following:

• Creates a local group called “Remote SAM Users”
• Amend the SDDL to include the newly created group
  • If no default SDDL then grant access to Built-in Administrators
  • If an SDDL has been previously created, then amend it to include the new ACE for the Remote SAM Users group.

Benefits of using SAMRi10

• Easy to grant granular access for Remote SAM access
• Helps in organizations that are wanting to do least privileged access
• Can be used in conjunction with a local group membership group policy to grant users access centrally using Item level targeting
• Can be utilised by a Privileged Access Management System to easily grant dynamic (Just-In-Time) access if an account / process requires this specific permission.

Reconnaissance with STEALTHbits

StealthINTERCEPT and STEALTHbits Activity Monitor can monitor LDAP queries and then pass them to StealthDEFEND which can detect multiple reconnaissance scenarios and queries out of the box including but not limited to BloodHound, queries for all SPN’s and queries for all accounts with password never expires.

StealthAUDIT’s attack path analyser can provide admins with insight into their Active Directory ACL’s which attackers may look for so they can plug any gaps before they happen.