About a week ago, a couple of Microsoft Researchers released a tool presented at Black Hat Europe 2016 called "SAMRi10" (pronounced “Samaritan”), a short PowerShell (PS) script which alters remote SAM access default permissions on Windows 10 & Windows Server 2016. This hardening process prevents attackers from easily getting some valuable recon information to move laterally within their victim’s network.
Here’s a summary of the tool’s goals & functionality:
Reconnaissance (recon for short) is a key stage within the Advanced Attackers’ kill chain. Once attackers have breached a single end-point, they need to discover their next targets within the victim’s corporate network, most notably privileged users. In order to enable admins to harden their network against such recon attacks targeting local users, we had developed the “SAMRi10” (pronounced Samaritan) tool.
Reconnaissance (recon for short) is a key stage within the Advanced Attackers’ kill chain. Once attackers have breached a single end-point, they need to discover their next targets within the victim’s corporate network, most notably privileged users
Attackers utilize compromised credentials in order to move laterally within their victims’ network. These compromised credentials may consist of either domain or local credentials. Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed (password complexity and change policy) and less monitored (no traffic and logs besides the specific computer).
Querying the Windows Security Account Manager (SAM) remotely via the SAM-Remote (SAMR) protocol against their victim’s domain machines, allows the attackers to get all domain and local users with their group membership and map possible routes within the victim’s network. Recently, some frameworks (e.g. BloodHound) have automated that mapping process.
By default, the SAM can be accessed remotely (via SAMR) by any authenticated user, including network connected users, which effectively means that any domain user is able to access it. Windows 10 had introduced an option to control the remote access to the SAM, through a specific registry value. On Windows Anniversary update (Windows 10 Version 1607) the default permissions were changed to allow remote access only to administrators. An accompanying Group Policy setting was added, which gives a user-friendly interface to alter these default permissions.
In order to enable admins to have granular control over remote access to SAM for all Windows 10 versions, we had developed the “SAMRi10” (pronounced Samaritan) tool. The SAMRi10 tool is a short PowerShell (PS) script which alters these default permissions on all Windows 10 versions and Windows Server 2016. Most significantly, this hardening process should block attackers from easily getting valuable recon information.
SAMRi10 can be downloaded from here. In-depth usage instructions are included in the download package.
- DOWNLOAD: “SAMRi10” – Hardening SAM Remote Access in Windows 10/Server 2016