December 5, 2016 By Douglas Bonderud 2 min read

Cybercriminals have moved beyond brute force. Rather than spinning up smash-and-grab attacks, many now infect single machines and then perform reconnaissance to prioritize their next network targets.

CFO put it simply: “The strategy of defending a perimeter to keep attackers out is no longer sufficient. Organizations instead need to assume that their network will be penetrated.” Malicious actors are biding their time, discovering what they can before stepping up their efforts.

But how do IT administrators detect and deflect recon attacks? A pair of Microsoft researchers developed a way to help IT departments stay safe, known as SAMRi10.

Flying Blind

Recon attacks are now a key part of cybercriminals’ threat chain. While infecting single machines without detection isn’t difficult, crashing randomly around corporate networks tends to attract attention. As a result, fraudsters developed ways to quietly map company connections and determine the most lucrative next step.

According to Bleeping Computer, Windows’ Security Account Manager (SAM), which contains all information about user accounts, makes this easier for many fraudsters. Authorized users can conduct Security Account Manager Remote (SAMR) queries to return information about local and domain users, aliases, memberships and other critical network data.

While computers separate from larger network domains are largely problem-free, since they only hold local user data, those attached to the corporate system at large can help point cybercriminals in the direction of sensitive or mission-critical information.

Since SAMR queries happen regularly in both Windows 10 and Windows Server 2016 environments, fraudsters can easily avoid red flags as long as they establish access on one PC. These queries under control of attackers give them eyes in every corner of the network but leave admins flying blind.

Good SAMRi10

Microsoft researchers Itai Grady and Tal Be’ery developed a counter-recon tool by the clever name of SAMRi10, pronounced “Samaritan,” to limit the reach of recon-minded attackers. As noted by the The Register, SAMRi10 is a PowerShell script that system admins can execute to limit the ability of users to perform SAMR queries.

The tool leverages a registry key present in Windows 10 and newer versions of Microsoft’s OS, HKLM/System/CurrentControlSet/Control/Lsa/RestrictRemoteSAM. This allows system administrators to restrict SAMR actions to admins only and create a separate user group if they need to authorize specific personnel who don’t have admin status.

So far, the tool has performed well against popular recon software such as PowerSploit and BloodHound, and the Microsoft team encouraged all security admins to consider reviewing the full documentation.

No Good Deed…

While Grady and Be’ery have certainly performed a good deed for Windows 10 users, it’s worth noting that SAMRi10 doesn’t work on any previous version of the OS, and Windows 10 has only 22 percent of the current market share. In other words, shutting down this recon pipeline doesn’t trip up attackers anywhere else.

But a recent Cyber Scoop article pointed to another way forward: The Department of Homeland Security (DHS) wants Silicon Valley companies to turn the tables on cyberattackers by developing deception techniques designed to confuse and frustrate any attempt at recon.

Observation is the new cybercriminal watchword. Tools such as SAMRi10 and a focus on taking the fight to shifty cyber spies, however, may help tip the scales in favor of IT security.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today