Net Cease - Hardening Net Session Enumeration

“Net Cease” tool is a short PowerShell (PS) script which alters Net Session Enumeration (NetSessionEnum) default permissions. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim's network.

NetCease.zip
 
 
 
 
 
4.3 Star
(7)
7,415 times
Add to favorites
Security
12/11/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • coresponding event id?
    1 Posts | Last post June 27, 2017
    • Thanks for this release Itai,
      
      Is there a corresponding event ID for finding failed enumerations? After applying netcease, I've ran many failed attempts, just can't find any events.
      
      Thank you.
  • Target for this script
    2 Posts | Last post December 07, 2016
    • It is mentioned in the description, that the script could be used on the domain controllers and/or file servers in a domain. Would it make any sense to target it to all servers and computers too?
    • yes, since any computer might have (SMB) sessions of remote users. Attackers can query all domain computers for those sessions and gather information on logged on users in that domain.
  • Can we run this command on Windows 2000, 2003 and XP?
    2 Posts | Last post November 01, 2016
    • Can we run this command on Windows 2000, 2003 and XP?
    • I didn't try it on Win2K/2003/XP, please let me know if you did and succeeded.
  • AccessMask
    2 Posts | Last post October 19, 2016
    • What is the access granted for the value 0x001f01ff?  
      
      When I look at the existing/default access rules for the registry value on a computer, it is:  
      
      SID: S-1-5-11 AccesMask: 1 WellKnown: AuthenticatedUserSid  
      SID: S-1-5-32-544 AccesMask: 983059 WellKnown: BuiltinAdministratorsSid  
      SID: S-1-5-32-547 AccesMask: 983059 WellKnown: BuiltinPowerUsersSid  
      SID: S-1-5-32-549 AccesMask: 983059 WellKnown: BuiltinSystemOperatorsSid  
      
      1 and 983059 are both valid values of the RegistryRights enum. 
      
      1: QueryValues  
      983059: QueryValues | SetValue | Notify | Delete | ReadPermissions | ChangePermissions | TakeOwnership  
      
      What access is granted for 0x001f01ff? 
    • Hi Greg, thanks for your reply. I've changed the value to the AccessMask of AuthenticatedUserSid
  • What is the roll back strategy?
    3 Posts | Last post October 19, 2016
    • Dear Itai or other beloved friends,
      
      Somehow, we have a complex environment in that case, how can we revert this change? 
    • Read the script and you will know :-)
    • Hi Rohit, please see the new registry value named "SrvsvcSessionInfoBackup" that was created by this script. It contains your original SrvsvcSessionInfo value, and both located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity.