Pierluigi Paganini October 15, 2016

A Microsoft security duo released a new tool dubbed NetCease designed to make hard for attackers to conduct reconnaissance.

Microsoft experts have released a tool dubbed NetCease that was designed to make hard reconnaissance activities of hackers.

The NetCease tool was developed by two researchers of the Microsoft Advanced Threat Analytics (ATA) research team, Itai Grady and Tal Be’ery.

The security experts will present the tool at the Black Hat Europe where they will explore the concept of “offensive cyber defense” methods.

The application is not classified as an official Microsoft tool, but it has been made available on Microsoft’s TechNet Gallery under the default license terms for “Software on Documentation Portals.”

The reconnaissance is a critical phase of an attack, attackers gather information of the potential targets identified target machines, potential bridge components for lateral movements and privileged users.

Once the attacker has identified the targets, he can use the NetSessionEnum function to retrieve information about sessions established on domain controllers (DC) or other servers in the network.

A NetSessionEnum could allow attackers to discover device name, IP address, the username that established a session, and the duration of each session.

This data are essential for attackers to move laterally within their victim’s network.

Any domain user has the permission by default to execute the NetSessionEnum method remotely. Anyway, it is possible to harden the access to the NetSessionEnum method by manually editing a registry key. The NetCease is a PowerShell script that modifies this registry key modify to forbid the execution of the NetSessionEnum.

“Net Cease” tool is a short PowerShell (PS) script which alters Net Session Enumeration (NetSessionEnum) default permissions. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim’s network.” reads the NetCease description.

“The NetCease script hardens the access to the NetSessionEnum method by removing the execute permission for Authenticated Users group and adding permissions for interactive, service and batch logon sessions,” the experts explained. “This will allow any administrator, system operator and power user to remotely call this method, and any interactive/service/batch logon session to call it locally.”

NetCease is simple to use, administrators have to run the PowerShell script as administrator on the machine they need to harden (i.e. a Domain Controller), then restart it.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – NetCease tool, hacking)