Lateral Movement Using SMB Session Enumeration
Many security professionals have heard about the SMB Session Enumeration attack technique. Red teams and attackers frequently use this technique in their engagements to gain domain dominance. Attackers employ this technique in the initial phases of the attack and use the data gathered throughout the rest of the attack cycle.
So, what makes this technique so popular?
From the attack perspective, the attacker wants to discover the network, identify the next targets for attack, find the systems from which privileged users log in. Session Enumeration provides answers to many of these questions. Attackers conduct Session Enumeration attacks by invoking a function called NetSessionEnum against an identified Target Server. Any authorized user can execute this function, and it provides information such as IP address and device name, the length of a session, and the username that created a session. The MITRE ATT&CK framework categorizes this technique as part of TA007 — Discovery Tactics. Several attack tools like psloggedon, Get-NetSessions, and Bloodhound use this method.
The following image depicts an attacker’s view once it has completed session enumeration, they use this information to find logged-on systems of the privileged users.
This article will discuss some typical methods adversaries use for Session Enumeration, the known prevention methods and why they are inadequate, and how deception plays a role in keeping attackers from exploiting the information gathered using this technique.
Session Enumeration Methods
File servers implementations, whether Windows or SMB/CIFS, has not changed much over the years. SMB1, SMB2 & SMB3 allow one to enumerate sessions and gather user information. One of the attacker’s goals is to identify these servers and use tools to enumerate the session.
Below are a few of the methods attackers use to conduct session enumeration from a compromised endpoint.
Method 1:
A widespread tactic used by attackers is to query Domain Controllers (DC) for open sessions. Identifying DCs is very easy using built-in commands like nltest.exe. All endpoints that are part of a domain connect to a network share on a DC for Group Policy updates. The Sysvol share stores Group Policy settings, and domain-joined windows systems access this share to download the GPO settings, resulting in a session.
The attacker can use the built-in command nltest /dsgetdc:<Domain Name> to discover the DC and then use tools like netsess.exe to enumerate the sessions against the DC’s IP address. SMB session enumeration provides information such as which user is logged-on to from which computer.
In the example below, attackers can see that “Administrator” is logged on to system 10.16.3.58 and has an SMB session to 10.16.12.2
The Bloodhound tool can also gather this information for the attacker. The following image shows the all sessions for different users in the Domain.
An attacker can run these tools against an enterprise DC and enumerate all users who have active sessions with the sysvol folder, using that information to move laterally in the network.
Method 2:
Another typical method for attackers is to query the User Profile Attribute in Active Directory. Most enterprises have their user profile data stored in a centralized file server. Once attackers identify the server, they can enumerate the session against it to get the session information. Attackers use Session Enumeration to evade various Threat Analytics detection tools as they only monitor DC and would miss the attempt against other servers such as file servers, which they don’t typically watch.
In the following image, the attacker first queries Active Directory to get the User Attribute, specifically the “profile” attribute, and then uses the same netsess.exe tool against the fileserver.
There are several other methods available to discover the file servers in the organization, some of which are:
· Querying for servers registered with the CIFS SPN
· Examining the mapped file shares on the endpoint
· Get-NetFileServer and Get-NetShare commands from Powerview cmdlets
· Using the Powerview command Invoke-UserHunter and Excluding DC’s
Known Detection and Prevention Methods
Although session enumeration is a very commonly used technique, there are no easy methods to prevent it. Most vendors only have detection capability, such as those listed below.
Threat Analytics Platform
Threat Analytics products detect SMB Session enumeration and other Active directory-related reconnaissance attacks against DCs and raise events.
Here is a sample alert from a Threat Analytic platform detecting SMB Session Enumeration.
Most Threat Analytics platforms generate alerts from network activity and they don’t correlate to endpoints. Network behavioral systems raise many events as they cannot accurately differentiate between legitimate and malicious activity and can result in a high number of false positives. Additionally, these platforms limit themselves to DC’s and don’t protect from other methods such as those described above.
SIEM Solution
Most SIEM solutions use User Behavior Analytics (UBA) to detect SMB Session Enumeration on DC’s. These products raise an alert based on log events forwarded from DC’s. Most of the detection events arise from Windows event logs and don’t have any correlation to endpoint context that generated these events, and are prone to false positives.
Net Cease — Hardening Net Session Enumeration
Net Cease is an unsupported method that is available to harden DC’s against net session enumeration. This method modifies the Net Session Enumeration default permissions, which prevents Non-Administrator users from enumerating sessions, but requires changes to every DC.
The example below shows a DC with modified Net Session Enumeration Default Permissions. Enumerating the SMB Sessions against the DC returns an “Access Denied” error.
The script must be executed on each domain controller to enable the protection. From an IT & DevOps perspective, there is an associated overhead to manage and deploy these kinds of solutions seamlessly.
Deploying deception to prevent session enumeration
Deception can play an essential role in preventing SMB Session Enumeration. Attivo Networks® offers the innovative ADSecure solution, a component of its ThreatDefend® platform, which protects against SMB Session Enumeration without making any changes to the enterprise Active Directory infrastructure. If an attacker compromises any endpoint and tries to enumerate SMB Sessions against the DCs or file servers, the ADSecure solution obfuscates the real SMB sessions and replaces them with deceptive SMB sessions. The ADSecure solution would also raise an event similar to a Threat Analytics platform and also provides details of the endpoint process that initiated the session enumeration. The forensic information provided from compromised endpoints helps security teams to identify the tools and methods used by attackers to enumerate the SMB sessions for further investigation and containment.
The following image is an example of an alert from the Attivo Networks® ADSecure solution in action when an attacker performs SMB Session enumeration from an endpoint.
The ADSecure solution also provides a detailed report to understand the attack method and tools the attacker used.
The Attivo Networks® platform also captures detailed forensic information from decoy systems that attackers have engaged.
Conclusion
Understanding the different attack methods used by attackers is critical to building good defenses. SMB Session Enumeration is a popular method used by attackers to escalate privileges and move laterally in the network. While there are traditional detection and prevention solutions to address this tactic, they are not sufficient to defend against it. The Attivo Networks® ADSecure solution is a novel approach that protects against SMB session enumeration. It does this without making any changes to the enterprise Active Directory and complements existing security controls. For more information, please visit www.attivonetworks.com.
