-
Notifications
You must be signed in to change notification settings - Fork 2
Audit sessions
The auditing feature of sessions validates if the user may call the method NetrSessionEnum on the target.
Enumerating net sessions on multiple targets helps malicious actors to map where privileged users are authenticating from. Through other vectors, these actors may compromise the users and gain further privileges in the domain.
The tool BloodHound leverages this to draw a map of where a user is authenticated to. See CollectionMethod, section "Session".
In 2016, Microsoft published a script named "Net Cease" dedicated to changing the registry key responsible for the privileges required to call the aforementioned method. Unfortunately, this script no longer appears to be available officially on Microsoft's website, which may be explained by the fact that session enumeration is no longer possible by default since Windows 10 (for low-privileged users, that is). Since the registry key must be set to a binary value, the script is desirable.
Fortunately, The Wayback Machine has archived the article with a functional download link, accessible here: Net Cease - Hardening Net Session Enumeration.
Please review the script before executing it in a production environment to ensure that it has not been tampered with.