How does Microsoft's NetCease perform anti-network reconnaissance?

Microsoft security researchers recently introduced a new tool called NetCease that prevents network reconnaissance. Expert Judith Myerson explains how the tool can stop attackers.

Judith Myerson

Microsoft just released a new tool called "NetCease" for anti-network reconnaissance. What does NetCease do, and...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please log in.

You have exceeded the maximum character limit.

Please provide a Corporate Email Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

how important are anti-recon tools for protecting networks?

NetCease is a short PowerShell script for anti-network reconnaissance. It prevents attackers from looking for sensitive data after they get inside a network. Let's take a look at how the data is queried and how the script can stop the query.

An attacker uses the Net Session Enumeration (NetSessionEnum) method to discover a computer's name, IP address, the name of a user who has established a session with the domain controller or a server, and how long the session has been active or idle. After 90 minutes of scanning the network, the attacker may get shut out. However, that's too long; the data is already in the hands of the attacker who could use it to attack the network.

NetSessionEnum works after a user establishes the first session between a workstation and a server. An administrator must start server service before the user can successfully connect with it. One favorite approach attackers (and ethical hackers) use is a penetration testing tool like Bloodhound or Nmap, which automates their work of scanning the network's complex paths.

To protect the network, the administrator runs NetCease in the PowerShell. The NetCease script was created by two Microsoft security researchers; it changes a local Windows registry key that controls NetSessionEnum permissions. Permissions for the "Authenticated Users" group are replaced with the permissions for interactive, service and batch logon sessions. This means that access to private network information becomes restricted unless the individual is authenticated. The attacker pretending to be an authenticated user is, therefore, not permitted to use NetSessionEnum and can't perform reconnaissance on the network.

In addition, NetCease can alert network administrators and security managers of any unauthorized attempts to use NetSessionEnum.

Anti-network reconnaissance tools can stop attackers from collecting sensitive data after gaining a foothold in a network. Changing a Windows registry key, however, is more effective than an open source, anti-reconnaissance tool for protecting the network.

Next Steps

Read more on why enterprises must limit administrative access

Find out about data obfuscation techniques and best practices

Discover the security benefits of MAC address randomization

This was last published in December 2016

passive attack

active attack

Cring ransomware hits ICS through two-year-old bug

CyCognito turning tables by using botnets for good

Next Steps

Dig Deeper on IPv6 security and network protocols security

passive attack

active attack

Cring ransomware hits ICS through two-year-old bug

CyCognito turning tables by using botnets for good

Related Q&A from Judith Myerson

Site-to-site VPN security benefits and potential risks

Should I worry about the Constrained Application Protocol?

How can I protect my self-encrypting drives?