Microsoft has released a new tool ‘NetCease’ to help security teams in protecting corporate networks from the reconnaissance of attackers.
The tool, named “NetCease,” is developed by Tal Be’ey and Itai Grady of the Microsoft’s ATA (Advanced Threat Analytics) research team. The tool is made available on Microsoft’s TechNet Gallery, but it is not official. The tool is available under the default license terms for “Software on Documentation Portals”.
NetCease is a small PowerShell script that must be executed once on a domain controller or each server to protect them from attacks. Since it is a script, its source code is also available.
During the monitoring phase of an attack, hackers collect information that allows them to move from compromised device to other machines on the victim’s network. Specifically, the attackers need to identify computers they access and its privileged users.
Once the target is identified, attackers can use the NetSessionEnum (NSE) function to attain information about sessions created on domain controllers or on other servers. NSE can be executed by any authorized user and provide information such as IP address and device name, the length of session, and the username that created a session.
This technique has already been used in various attacks and it has been integrated into famous penetration testing tools such as BloodHound and PowerSploit.
Any domain user, by default, is allowed to start the NSE method remotely. The default permissions can only be changed through manual editing of a registry key. Be’ery and Grady created NetCease to make it easy for administrators to modify these permissions and make it difficult for malicious attackers to obtain information needed for moving laterally within the network.
The researchers explained, “The NetCease script hardens the access to the NetSessionEnum method by removing the execute permission for Authenticated Users group and adding permissions for interactive, service and batch login sessions,” “This will allow any administrator, system operator and power user to remotely call this method and any interactive/batch/service login session to call it locally.”
The tool is released as a preview for the upcoming Black Hat Europe session where Grady and Be’ery will demonstrate what they term as “offensive cyber defense” methods.
Share this article
About the Author
Peter Buttler an Infosec Journalist and Tech Reporter, Member of IDG Network. In 2011, he completed Masters in Cybersecurity and technology. He worked for leading security and tech giants as Staff Writer. Currently, he contributes to a number of online publications, including The Next Web, CSO Online, Infosecurity Mag, SC Magazine, Tripwire, GlobalSign CSO Australia, etc. His favorite areas Online Privacy, AI, IoT, VR, Blockchain, Big Data, ML, Fintech, etc. You can follow him on twitter.
More from Peter ButtlerRelated Posts
Passengers’ Data Stored on User Devices, not on DigiYatra Storage, says India Govt
KEY TAKEAWAYS Unblocking streaming content from Amazon Prime is easy only if you know the reliable V...
NCSC Chief: Clear Rules Needed to Prevent Cyberspace Conflict and Struggle
A safe and secure digital world necessitates a clear definition and enforcement of international cyb...
‘Revive’ has been upgraded to a banking Trojan on Android
This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild....
Asian Industrial Control Systems Targeted by Hackers Using the Shadowpad Backdoor
Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaig...
Data Breaches Could Occur Due to Kubernetes Misconfigurations That Were Leaked.
Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-e...
Attacks by Cybercriminals Will Become the Main Threat in 2024. Privacy Issues Tendencies
Internet Privacy is the main Concern today Advertisers track your online activities and interf...
