Last active
May 27, 2021 13:53
-
-
Save 2XXE-SRA/e02f6e8e30457b0fcd9c9581f302dd18 to your computer and use it in GitHub Desktop.
Add user to LanmanServer SrvsvcSessionInfo DACL, allowing them to perform NetSessionEnum (e.g. NetSess, BloodHound)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# based on NetCease: https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b | |
# can be deployed on a per-host basis using this script - e.g. via something like SCCM | |
# or, once deployed to one host, can be deployed via GPO Registry preferences by copying the set registry value | |
# (lanmanserver still needs to be restarted when done this way) | |
# see: https://adsecurity.org/?p=3299 -> Disable Windows Legacy & Typically Unused Features -> Disable Net Session Enumeration (NetCease) | |
# constants | |
$key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity" | |
$name = "SrvsvcSessionInfo" | |
$SRVSVC_SESSION_USER_INFO_GET = 0x00000001 | |
# get DACL binary data from registry | |
$regKey = Get-Item -Path $key | |
$srvSvcSessionInfo = $regKey.GetValue($name, $null) | |
# convert binary to object | |
$csd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $true,$false, $srvSvcSessionInfo,0 | |
# get SID info for user and add an allow in DACL | |
$user = New-Object System.Security.Principal.NTAccount('domain\user') | |
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier]) | |
$csd.DiscretionaryAcl.AddAccess([System.Security.AccessControl.AccessControlType]::Allow, $sid, $SRVSVC_SESSION_USER_INFO_GET,0,0) | |
# convert object back to binary and save in registry | |
$data = New-Object -TypeName System.Byte[] -ArgumentList $csd.BinaryLength | |
$csd.GetBinaryForm($data,0) | |
Set-ItemProperty -Path $key -Name $name -Value $data | |
# restart lanmanserver service to take effect | |
Restart-Service lanmanserver |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment