Overview

Reconnaissance (recon for short) is a key stage within the Advanced Attackers' kill chain. Once attackers have breached a single end-point, they need to discover their next targets within the victim’s corporate network, most notably privileged users. In order to enable admins to harden their network against such recon attacks targeting local users, we had developed the “SAMRi10” (pronounced Samaritan) tool.

Introduction

Reconnaissance (recon for short) is a key stage within the Advanced Attackers' kill chain. Once attackers have breached a single end-point, they need to discover their next targets within the victim’s corporate network, most notably privileged users

Attackers utilize compromised credentials in order to move laterally within their victims’ network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer).

Querying the Windows Security Account Manager (SAM) remotely via the SAM-Remote (SAMR) protocol against their victim’s domain machines, allows the attackers to get all domain and local users with their group membership and map possible routes within the victim’s network. Recently, some frameworks (e.g. BloodHound) have automated that mapping process.

By default, the SAM can be accessed remotely (via SAMR) by any authenticated user, including network connected users, which effectively means that any domain user is able to access it. Windows 10 had introduced an option to control the remote access to the SAM, through a specific registry value. On Windows Anniversary update (Windows 10 Version 1607) the default permissions were changed to allow remote access only to administrators. An accompanying Group Policy setting was added, which gives a user-friendly interface to alter these default permissions.

In order to enable admins to have granular control over remote access to SAM for all Windows 10 versions, we had developed the “SAMRi10” (pronounced Samaritan) tool. The SAMRi10 tool is a short PowerShell (PS) script which alters these default permissions on all Windows 10 versions and Windows Server 2016. Most significantly, this hardening process should block attackers from easily getting valuable recon information.

Security Account Manager (SAM) and Active Directory

Accounts are always created relative to an issuing authority. In Windows, the issuing authority is referred to as a domain. A domain can be either a local domain or extend across a network. Domains store information about their accounts in an account database. Windows uses Active Directory as the account database in domain-based environments, whereas in environments that are not domain-based, it uses the security account manager (SAM) built-in database as the account database.

Local Domains and Account database

Every computer that runs Windows has its own local domain, that is, it has an account database for accounts that are specific to that computer. These are referred to as local accounts, local groups, and so on. Because computers typically do not trust each other for account information, these identities stay local to the computer on which they were created.

Network Domains and Domain Controllers

In a network domain, certain Windows servers can be configured to be domain controllers. A domain controller is a server that has made its account database available to other machines in a controlled manner.

SAMR: Remote Querying of SAM

The Security Account Manager Remote Protocol (SAMR) exposes the security accounts manager database for a remote authenticated domain user. It does so for both local and domain accounts. There are five objects that are exposed by the protocol; server, domain, group, alias and user. All these objects can be updated and read, and some (user, group and alias) can also be created and deleted.

Flow and Usage

The basic flow of using the SAMR protocol is as such:

  1. Connect to a server (the remote machine).
  2. Enumerate/lookup the server for domains.
  3. Open the domain of interest.
  4. Lookup a user or alias/group in the domain.
  5. Open the user/alias of interest.
  6. Query the user/alias of interest.

There are a few tools that utilize these API calls, such as Net User/Group, PowerSploit’s Get-NetLocalGroup and Imapcket’s SAMRdump. Net User and Net Group are Windows built-in command line tools. With these tools an authenticated user can add or modify and display information on users or groups respectively on the local machine or its domain controller. The Get-NetLocalGroup queries a remote machine for its local groups (including the “Administrators” and “Users” groups). SAMRdump, queries the target machine for its local users (using the EnumDomainUsers on the target machine).

MicrosoftATA detects the use of such query and alerts the security administrator about it

Figure 1: MicrosoftATA alert on Domain Users recon

SAMR Required Permissions

Prior to Windows 10, any domain user could query any computer for its local users via the SAMR protocol. In Windows 10, SAM remote permissions can be configured by setting the following registry value:

HKLM/System/CurrentControlSet/Control/Lsa/RestrictRemoteSAM

The Windows Anniversary update version changed the default security descriptor for the SAM access to limit the remote querying of SAM to local administrators only, even if the aforementioned registry key is not present, and added a Group Policy setting (“Network Access: Restrict clients allowed to make remote calls to SAM”) to allow the central administration of this policy setting.

Figure 2:New Group Policy settings in anniversary update

 

RestrictRemoteSAM value is a string format of a Security Descriptor Definition Language (SDDL) which contains a Discretionary Access Control List (DACL) with a suitable Access Control Entry for allowed/denied users/groups.

 

SAMRi10 details

The SAMRi10 script hardens the remote access to the SAM by giving permission for members of Administrators group or the newly created group (also by this script) named “Remote SAM Users”.
This will allow any administrator or any service/user account added to the “Remote SAM Users” local group to remotely access SAM on the hardened machine.

 

Using SAMRi10.ps1

Run The SAMRi10 PowerShell script as administrator on the machine you wish to harden (Windows 10/Server 2016+).

Figure 3:.\SAMRi10.ps1 execution

To allow Service/User account to remotely access SAM on the hardened machine, please add it to the newly created “Remote SAM Users” group. (as seen in Figure 8)

Revert Option

To revert changes done by the SAMRi10 tool, use the Revert option.
Registry value will be set to the backed up value and the “Remote SAM Users” group will be deleted.

For example:

Figure 5:.\SAMRi10.ps1 -Revert

Results on SAMRi10 Hardened Targets

Net User on a Hardened Domain Controller

A Windows Server 2016 domain controller, hardened by the SAMRi10 tool, will respond differently to a remote SAM access, based upon the requesting user account type:

  • Domain Admin account: Querying a hardened domain controller, with the “Net User/Group” for example, will be completed successfully.
  • Non-privileged User account: Querying a hardened domain controller, with the “Net User/Group” for example, will result with an “Access is denied” error.
  • Member of “Remote SAM Users”: Querying a hardened domain controller, with the “Net User/Group” for example, will be completed successfully.

The following figures represent the scenarios described above:

Figure 6:Administrator successfully calls Net User from remote on a hardened domain controller

Figure 7:User2 (non-admin) gets access denied calling Net User remotely to a hardened Domain Controller

 

Figure 8:Group membership of Remote SAM Users on the hardened Domain Controller

 

Figure 9:User3 (non-admin, but member of “Remote SAM Users”) successfully calls Net User on a hardened Domain Controller

 

Get-NetLocalGroup Against a Hardened Machine

A Windows 10 machine, hardened by the SAMRi10 tool, will respond to a remote SAM access, based upon the requesting user account type, similar to a hardened 2016 domain controller.
Remote execution of PowerSploit’s Get-NetLocalGroup method against a SAMRi10 hardened computer, using an unprivileged user will result with an “Access is denied” error.

Executing the same method, with an administrative account or a member of the local “Remote SAM Users” on the remote machine, will be completed successfully.

The following figures represent the scenarios described above:

Figure 10:user2 (non-admin) gets access denied call Get-NetLocalGroup on a hardened Windows 10 machine

 

Figure 11:user1 (local admin) successfully calls Get-NetLocalGroup on a hardened Windows 10 machine