Microsoft's 'Samaritan' refuses help to hackers doing Win 10 recon

'SAMRi10' script hides the creds hackers crave, making box-to-box jumps harder

Microsoft hacker Itai Grady has created a tool to help prevent blackhat scouts from stealing Windows credentials, an effort the firm hopes will make network compromises harder to achieve.

The SAMRi10 PowerShell script (it's pronounced as samaritan) eliminates the easy username information hackers seek in initial reconnaissance of Windows boxes.

It changes the default permissions for remote Windows Security Account Manager (SAM) access on Windows 10 and Windows Server 2016 in a bid to limit the amount of information hackers can glean.

Grady (@ItaiGrady) says the Windows 10 tool will help increase the cost and complexity of the first step in the offensive hacking kill chain.

"Once attackers have breached a single end-point, they need to discover their next targets within the victim’s corporate network, most notably privileged users.

"Local credentials, especially those of local admins, are a lucrative target for the attackers as they are less managed [in terms of] password complexity and change policy, and less monitored [with] no traffic and logs besides the specific computer.

"Querying the Windows Security Account Manager remotely via the SAM-Remote protocol against their victim’s domain machines allows the attackers to get all domain and local users with their group membership and map possible routes within the victim’s network."

Frameworks like Veris Group's BloodHound automates that network mapping, elevating the risk by exposed credentials.

image Good samaritan: Admins okay, unauth users denied.

Good samaritan: Admins okay, unauth users denied. Images: Microsoft.

SAMRi10 is not known to work on any platform other than Microsoft's tougher Windows 10 platform, which has about 22 percent market share.

The researchers have outlined their script's functionality and use in full, and encourage all security administrators to review it. ®


Biting the hand that feeds IT © 1998–2017