Skip to content

Instantly share code, notes, and snippets.

@2XXE-SRA
Last active May 27, 2021
Embed
What would you like to do?
Add user to LanmanServer SrvsvcSessionInfo DACL, allowing them to perform NetSessionEnum (e.g. NetSess, BloodHound)
# based on NetCease: https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b
# can be deployed on a per-host basis using this script - e.g. via something like SCCM
# or, once deployed to one host, can be deployed via GPO Registry preferences by copying the set registry value
# (lanmanserver still needs to be restarted when done this way)
# see: https://adsecurity.org/?p=3299 -> Disable Windows Legacy & Typically Unused Features -> Disable Net Session Enumeration (NetCease)
# constants
$key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity"
$name = "SrvsvcSessionInfo"
$SRVSVC_SESSION_USER_INFO_GET = 0x00000001
# get DACL binary data from registry
$regKey = Get-Item -Path $key
$srvSvcSessionInfo = $regKey.GetValue($name, $null)
# convert binary to object
$csd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $true,$false, $srvSvcSessionInfo,0
# get SID info for user and add an allow in DACL
$user = New-Object System.Security.Principal.NTAccount('domain\user')
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
$csd.DiscretionaryAcl.AddAccess([System.Security.AccessControl.AccessControlType]::Allow, $sid, $SRVSVC_SESSION_USER_INFO_GET,0,0)
# convert object back to binary and save in registry
$data = New-Object -TypeName System.Byte[] -ArgumentList $csd.BinaryLength
$csd.GetBinaryForm($data,0)
Set-ItemProperty -Path $key -Name $name -Value $data
# restart lanmanserver service to take effect
Restart-Service lanmanserver
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment