Skip to content

Instantly share code, notes, and snippets.

Last active May 27, 2021
What would you like to do?
Add user to LanmanServer SrvsvcSessionInfo DACL, allowing them to perform NetSessionEnum (e.g. NetSess, BloodHound)
# based on NetCease:
# can be deployed on a per-host basis using this script - e.g. via something like SCCM
# or, once deployed to one host, can be deployed via GPO Registry preferences by copying the set registry value
# (lanmanserver still needs to be restarted when done this way)
# see: -> Disable Windows Legacy & Typically Unused Features -> Disable Net Session Enumeration (NetCease)
# constants
$key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity"
$name = "SrvsvcSessionInfo"
# get DACL binary data from registry
$regKey = Get-Item -Path $key
$srvSvcSessionInfo = $regKey.GetValue($name, $null)
# convert binary to object
$csd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $true,$false, $srvSvcSessionInfo,0
# get SID info for user and add an allow in DACL
$user = New-Object System.Security.Principal.NTAccount('domain\user')
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
$csd.DiscretionaryAcl.AddAccess([System.Security.AccessControl.AccessControlType]::Allow, $sid, $SRVSVC_SESSION_USER_INFO_GET,0,0)
# convert object back to binary and save in registry
$data = New-Object -TypeName System.Byte[] -ArgumentList $csd.BinaryLength
Set-ItemProperty -Path $key -Name $name -Value $data
# restart lanmanserver service to take effect
Restart-Service lanmanserver
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment