Reconnaissance (recon for short) is a key stage within the Advanced Attackers kill chain. Once attackers have breached a single end-point, they need to discover their next targets within the victim's corporate network, most notably privileged users.
Once attackers had “zoomed in” on target users, they need to find out the computers they had logon to, in order to propagate to them and compromise their credentials. Applying the SMB Session enumeration via the NetSessionEnum method against
the DC (or other file servers), allows the attackers to get that information. Recently, some frameworks (e.g.
BloodHound) have automated that mapping process.
By default, NetSessionEnum method can be executed by any authenticated user, including network connected users, which effectively means that any domain user is able to execute it remotely.
Since the only current method to modify the default permissions for NetSessionEnum is by manually editing hex registry entry, we wrote the “NetCease” tool, a short PowerShell (PS) script which alters these default permissions. This hardening process should block attackers from easily getting valuable recon information.
Net Session Enumeration is a method used to retrieve information about established sessions on a server. Any domain user can query a server for its established sessions and get the following information:
Since all domain users/computers are updating their Group Policy approximately every 90 minutes, they establish a session to the DC and query for an update. Those sessions are visible to all domain users using the NetSessionEnum on that DC.
Several widely-available tools implement such query, including the NetSess tool
Figure 1: NetSess tool result example.
MicrosoftATA detects the use of such query and alerts the security administrator about it
Figure 2: MicrosoftATA alert on NetSessionEnum use
NetSessionEnum method permissions are controlled by a registry key under the following path:
Figure 3: NetSessionEnum DACL in Registry
By default, this binary SrvsvcSessionInfo value is a Discretionary Access Control List (DACL) containing 4 Access Control Entries (ACE) which allows access to any user with at least one of the following characteristics:
By performing a successful network authentication against a domain joined machine, the users (or attackers) obtain the permission to execute NetSessionEnum on that machine, as they got the “Authenticated Users” Sid added to their authentication context.
The NetCease script hardens the access to the NetSessionEnum method by removing the execute permission for Authenticated Users group and adding permissions for interactive, service and batch logon sessions.
This will allow any administrator, system operator and power user to remotely call this method, and any interactive/service/batch logon session to call it locally.
Calling NetSess on a hardened machine from remote, using an administrator account:
Figure 4: Administrator successfully calls NetSess from remote on a hardened machine
Calling NetSess on a hardened machine from remote, using non privileged user:
Figure 5: User1 (non-admin) get access denied calling NetSess remotely
Calling NetSess on the same hardened machine, using the same user but locally:
Figure 6: User1 (non-admin) successfully calls NetSess locally
NetCease.ps1 is simple to use. Run the PowerShell script as administrator on the machine you wish to harden (DC in most cases).
In order for the changes to take effect, restart the “Server” service.
Note that hardening NetSession and hindering attackers’ ability to abuse it, does not damage defenders’ ability to detect the attack, as MicrosoftATA detects failed recon attempts as well
Figure 7: MicrosoftATA detection of a failed NetSessionEnum recon attempt
To revert changes done by the NetCease tool, use the Revert option.
Registry value will be set to the backed up value.