Stories
Slash Boxes
Comments

SoylentNews is people

Net Cease: Microsoft Researchers Unveil Anti-Reconnaissance Tool

posted by cmn32480 on Wednesday October 19 2016, @05:52PM   Printer-friendly
from the who's-watching? dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Microsoft researchers Itay Grady and Tal Be'ery have released Net Cease, a PowerShell script that prevents attackers who have already compromised an endpoint from getting information about other targets within the same corporate network.

The idea behind the script is to make attackers' lateral movement on the network more difficult.

[...] Net Cease works by changing the default permissions for the NetSessionEnum method to limit the number of domain users who are able to execute the method remotely.

"The NetCease script hardens the access to the NetSessionEnum method by removing the execute permission for Authenticated Users group and adding permissions for interactive, service and batch logon sessions," the creators explained.

This one's for all you admin types out there who have no choice but to have large numbers of Windows devices on your network.

Source: https://www.helpnetsecurity.com/2016/10/18/net-cease-network-anti-reconnaissance-tool/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Net Cease: Microsoft Researchers Unveil Anti-Reconnaissance Tool | Log In/Create an Account | Top | 12 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Funny) by Anonymous Coward on Wednesday October 19 2016, @06:05PM

    by Anonymous Coward on Wednesday October 19 2016, @06:05PM (#416257)

    Great, this particular attack vector used by exactly ONE guy over in Elbonia has now been disabled. This will not stop anything.
    Also, "I wrote a script that does something" is now newsworthy?

    • (Score: 2, Informative) by Anonymous Coward on Wednesday October 19 2016, @06:08PM

      by Anonymous Coward on Wednesday October 19 2016, @06:08PM (#416260)

      And for those interested, below is the full script. It's pathetic that this is newsworthy in any shape, way or form.
      This isn't a "OMG, Microsoft Research makes huge strides", instead it is more along the lines of "anyone, even an intern, could have written this" (and it was likely written by an intern).

      #NetSessionEnum SecurityDescriptor Registry Key
      $key = "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity"
      $name = "SrvsvcSessionInfo"
      $SRVSVC_SESSION_USER_INFO_GET = 0x00000001
      $backup = "SrvsvcSessionInfoBackup"
       
      Write-Host "Starting NetCease 1.01"
       
      #Backup original Key value if needed
      $backupVal = [Microsoft.Win32.Registry]::GetValue($key, $backup, $null)
      $srvSvcSessionInfo = [Microsoft.Win32.Registry]::GetValue($key, $name, $null)
      if ($backupVal -eq $null)
      {
          [Microsoft.Win32.Registry]::SetValue($key,$backup,$srvSvcSessionInfo)
      }
       
      #Load the SecurityDescriptor
      $csd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $true,$false, $srvSvcSessionInfo,0
       
      #Remove Authenticated Users Sid permission entry from its DiscretionaryAcl (DACL)
      $authUsers = [System.Security.Principal.WellKnownSidType]::AuthenticatedUserSid
      $authUsersSid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $authUsers, $null
      $csd.DiscretionaryAcl.RemoveAccessSpecific([System.Security.AccessControl.AccessControlType]::Allow, $authUsersSid,$SRVSVC_SESSION_USER_INFO_GET, 0,0)
       
      #Add Access Control Entry permission for Interactive Logon Sid
      $wkt = [System.Security.Principal.WellKnownSidType]::InteractiveSid
      $interactiveUsers = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $wkt, $null
      $csd.DiscretionaryAcl.AddAccess([System.Security.AccessControl.AccessControlType]::Allow, $interactiveUsers, $SRVSVC_SESSION_USER_INFO_GET,0,0)
       
      #Add Access Control Entry permission for Service Logon Sid
      $wkt = [System.Security.Principal.WellKnownSidType]::ServiceSid
      $serviceLogins = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $wkt, $null
      $csd.DiscretionaryAcl.AddAccess([System.Security.AccessControl.AccessControlType]::Allow, $serviceLogins, $SRVSVC_SESSION_USER_INFO_GET,0,0)
       
      #Add Access Control Entry permission for Batch Logon Sid
      $wkt = [System.Security.Principal.WellKnownSidType]::BatchSid
      $BatchLogins = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $wkt, $null
      $csd.DiscretionaryAcl.AddAccess([System.Security.AccessControl.AccessControlType]::Allow, $BatchLogins, $SRVSVC_SESSION_USER_INFO_GET,0,0)
       
      #Update the SecurityDescriptor in the Registry with the updated DACL
      $data = New-Object -TypeName System.Byte[] -ArgumentList $csd.BinaryLength
      $csd.GetBinaryForm($data,0)
      [Microsoft.Win32.Registry]::SetValue($key,$name,$data)
      Write-Host "Permissions successfully updated"
      Write-Host "In order for the hardening to take effect, please restart the Server service"

    • (Score: 1, Redundant) by Nerdfest on Wednesday October 19 2016, @06:38PM

      by Nerdfest (80) on Wednesday October 19 2016, @06:38PM (#416276)

      Isn't this just slapping some duct tape over bad design to begin with?

    • (Score: 2) by sjames on Wednesday October 19 2016, @07:53PM

      by sjames (2882) on Wednesday October 19 2016, @07:53PM (#416310) Journal

      Someone wrote a script that does something in the godawful gobbledygook that is powershell? That *IS* news!

  • (Score: 1, Insightful) by Anonymous Coward on Wednesday October 19 2016, @06:21PM

    by Anonymous Coward on Wednesday October 19 2016, @06:21PM (#416268)

    This is the saddest bit of security PR ever, and will probably give them a boost in confidence by most...

    • (Score: 1, Redundant) by canopic jug on Wednesday October 19 2016, @06:54PM

      by canopic jug (3949) on Wednesday October 19 2016, @06:54PM (#416282) Journal
      M$ got laughed at a lot a little over a decade ago because they were spending more on marketing than anything else. So the response seems to have been to rename some of the marketing as research and make frequent press releases. But it works to fool people
      --
      Money is not free speech. Elections should not be auctions.

      • (Score: 2) by canopic jug on Thursday October 20 2016, @12:19PM

        by canopic jug (3949) on Thursday October 20 2016, @12:19PM (#416598) Journal

        Look it up in the SEC filing rather. It's there in black and white in the Form 10-Q for the Quarter Ended March 31, 2002 [sec.gov] and earlier. Before M$ became a lobbying engine, it was first and foremost a marketing company. Eons before that, it did an abortive attempt at operating systems, but survived having inherited IBM's monopoly. Before that it did software, but that was eons ago and all that is long ago in the past now. What it is today is unclear, it has gone beyond marketing and lobbying and has several cult-like characteristics.

        This "Research" is just marketing money thrown at selected, bumbling grad students or desperate post-docs, in exchange for M$ using their efforts as PR.

        --
        Money is not free speech. Elections should not be auctions.

    • (Score: 4, Funny) by aristarchus on Wednesday October 19 2016, @07:00PM

      by aristarchus (2645) on Wednesday October 19 2016, @07:00PM (#416289) Journal

      Actually, this is probably meant to take attention off the Wikileak of Clinton's emails, wherein Bill OR Melinda Gates were suggested for the VP slot on the Clinton ticket.

      • (Score: 3, Insightful) by frojack on Wednesday October 19 2016, @07:31PM

        by frojack (1554) on Wednesday October 19 2016, @07:31PM (#416302) Journal

        Well I don't actually see an election tie in, and if there was something to suppress it would be the Lolita Express [washingtontimes.com] story, rather than VP choices that were never real, and never going to fly in the first place.

        The fact that a beachhead in any single windows domain member usually gives you total lateral access across multiple domains, isn't news.
        And the idea that some cheasy script is going to stop that seems laughable.

        I can't imagine why Microsoft would release this as an optional script rather than a real patch, unless of course it cripples much of the windows domain functionality that users have come to expect and rely on (knowing full well it was insecure).

        --
        No, you are mistaken. I've always had this sig.

  • (Score: 1, Interesting) by Anonymous Coward on Wednesday October 19 2016, @06:57PM

    by Anonymous Coward on Wednesday October 19 2016, @06:57PM (#416286)

    First the bad story about Bellicheck hating their tablet shows up . Two puff pieces immediately follow. Coincidence or Astroturfing?

  • (Score: 3, Insightful) by edIII on Wednesday October 19 2016, @07:16PM

    by edIII (791) on Wednesday October 19 2016, @07:16PM (#416297)

    Microsoft Researchers Unveil Anti-Reconnaissance Tool

    So Microsoft [security] researchers were working on Anti-Reconnaissance tools? Does their telemetry department know they declared war on them? :)

    Microsoft and Anti-Reconnaissance are mutually exclusive.

    --
    Technically, lunchtime is at any moment. It's just a wave function.

  • (Score: 2) by RamiK on Wednesday October 19 2016, @09:14PM

    by RamiK (1813) on Wednesday October 19 2016, @09:14PM (#416344)

    Got pwned? Have no fear! Microsoft's rapid response anti-virus team composed of the finest power-shell script kiddies H1Bs could buy will seal that leak in no time!

    --
    compiling...