Microsoft has released a new tool ‘NetCease’ to help security teams in protecting corporate networks from the reconnaissance of attackers.
The tool, named “NetCease,” is developed by Tal Be’ey and Itai Grady of the Microsoft’s ATA (Advanced Threat Analytics) research team. The tool is made available on Microsoft’s TechNet Gallery, but it is not official. The tool is available under the default license terms for “Software on Documentation Portals”.
NetCease is a small PowerShell script that must be executed once on a domain controller or each server to protect them from attacks. Since it is a script, its source code is also available.
During the monitoring phase of an attack, hackers collect information that allows them to move from compromised device to other machines on the victim’s network. Specifically, the attackers need to identify computers they access and its privileged users.
Once the target is identified, attackers can use the NetSessionEnum (NSE) function to attain information about sessions created on domain controllers or on other servers. NSE can be executed by any authorized user and provide information such as IP address and device name, the length of session, and the username that created a session.
