Reconnaissance (recon for short) is a key stage within the Advanced Attackers' kill chain. Once attackers have breached a single end-point, they need to discover their next targets within the victim’s corporate network, most notably privileged users. In order to enable admins to harden their network against such recon attacks targeting local users, we had developed the “SAMRi10” (pronounced Samaritan) tool.
Reconnaissance (recon for short) is a key stage within the Advanced Attackers' kill chain. Once attackers have breached a single end-point, they need to discover their next targets within the victim’s corporate network, most notably privileged users
Attackers utilize compromised credentials in order to move laterally within their victims’ network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer).
Querying the Windows Security Account Manager (SAM) remotely via the SAM-Remote (SAMR) protocol against their victim’s domain machines, allows the attackers to get all domain and local users with their group membership and map possible routes within
the victim’s network. Recently, some frameworks (e.g.
automated that mapping process.
By default, the SAM can be accessed remotely (via SAMR) by any authenticated user, including network connected users, which effectively means that any domain user is able to access it. Windows 10 had introduced an option to control the remote access to the SAM, through a specific registry value. On Windows Anniversary update (Windows 10 Version 1607) the default permissions were changed to allow remote access only to administrators. An accompanying Group Policy setting was added, which gives a user-friendly interface to alter these default permissions.
In order to enable admins to have granular control over remote access to SAM for all Windows 10 versions, we had developed the “SAMRi10” (pronounced Samaritan) tool. The SAMRi10 tool is a short PowerShell (PS) script which alters these default permissions on all Windows 10 versions and Windows Server 2016. Most significantly, this hardening process should block attackers from easily getting valuable recon information.
Every computer that runs Windows has its own local domain, that is, it has an account database for accounts that are specific to that computer. These are referred to as local accounts, local groups, and so on. Because computers typically do not trust each other for account information, these identities stay local to the computer on which they were created.
In a network domain, certain Windows servers can be configured to be domain controllers. A domain controller is a server that has made its account database available to other machines in a controlled manner.
The basic flow of using the SAMR protocol is as such:
There are a few tools that utilize these API calls, such as Net User/Group, PowerSploit’s Get-NetLocalGroup and Imapcket’s SAMRdump. Net User and Net Group are Windows built-in command line tools. With these tools an authenticated user can add or modify and display information on users or groups respectively on the local machine or its domain controller. The Get-NetLocalGroup queries a remote machine for its local groups (including the “Administrators” and “Users” groups). SAMRdump, queries the target machine for its local users (using the EnumDomainUsers on the target machine).
MicrosoftATA detects the use of such query and alerts the security administrator about it
Figure 1: MicrosoftATA alert on Domain Users recon
Prior to Windows 10, any domain user could query any computer for its local users via the SAMR protocol. In Windows 10, SAM remote permissions can be configured by setting the following registry value:
HKLM/System/CurrentControlSet/Control/Lsa/RestrictRemoteSAMThe Windows Anniversary update version changed the default security descriptor for the SAM access to limit the remote querying of SAM to local administrators only, even if the aforementioned registry key is not present, and added a Group Policy setting (“Network Access: Restrict clients allowed to make remote calls to SAM”) to allow the central administration of this policy setting.
Figure 2:New Group Policy settings in anniversary update
RestrictRemoteSAM value is a string format of a Security Descriptor Definition Language (SDDL) which contains a Discretionary Access Control List (DACL) with a suitable Access Control Entry for allowed/denied users/groups.
The SAMRi10 script hardens the remote access to the SAM by giving permission for members of Administrators group or the newly created group (also by this script) named “Remote SAM Users”.
This will allow any administrator or any service/user account added to the “Remote SAM Users” local group to remotely access SAM on the hardened machine.
Run The SAMRi10 PowerShell script as administrator on the machine you wish to harden (Windows 10/Server 2016+).
Figure 3:.\SAMRi10.ps1 execution
To allow Service/User account to remotely access SAM on the hardened machine, please add it to the newly created “Remote SAM Users” group. (as seen in Figure 8)
To revert changes done by the SAMRi10 tool, use the Revert option.
Registry value will be set to the backed up value and the “Remote SAM Users” group will be deleted.
Figure 5:.\SAMRi10.ps1 -Revert
A Windows Server 2016 domain controller, hardened by the SAMRi10 tool, will respond differently to a remote SAM access, based upon the requesting user account type:
The following figures represent the scenarios described above:
Figure 6:Administrator successfully calls Net User from remote on a hardened domain controller
Figure 7:User2 (non-admin) gets access denied calling Net User remotely to a hardened Domain Controller
Figure 8:Group membership of Remote SAM Users on the hardened Domain Controller
Figure 9:User3 (non-admin, but member of “Remote SAM Users”) successfully calls Net User on a hardened Domain Controller
A Windows 10 machine, hardened by the SAMRi10 tool, will respond to a remote SAM access, based upon the requesting user account type, similar to a hardened 2016 domain controller.
Remote execution of PowerSploit’s Get-NetLocalGroup method against a SAMRi10 hardened computer, using an unprivileged user will result with an “Access is denied” error.
The following figures represent the scenarios described above:
Figure 10:user2 (non-admin) gets access denied call Get-NetLocalGroup on a hardened Windows 10 machine
Figure 11:user1 (local admin) successfully calls Get-NetLocalGroup on a hardened Windows 10 machine