So with the new SMBv3 Remote Code Execution issues codenamed “SMBGhost”. SMBGhost is an issue where an attack could gain remote code execution by exploiting a bug in SMB compression. A temporary fix is disabling SMB compression on the server side using this registry key:
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Microsoft has since released a patch (see this link for more info). We’ve decided to start monitoring SMB sessions on clients in any case. Normally speaking, no SMB sessions to a client should be open unless you are performing a remote installation using the ADMIN$ share. So it’s good practice to check if there are SMB sessions open and if so, where they are coming from. This is also a pretty cool trick to find who is hosting their own shares inside of your networks.
The Script
So its a fairly short script – it alerts on both currently opened sessions, and active SMB connections. There’s a difference between the both as you can connect to the IPC$ share, without having an active open session. In any case – I’d run this script every minute or less on all your workstations. Its quite lightweight and a great help to find bad actors in your environment.
$Sessions = Get-smbsession
$Connections = get-smbconnection
if ($sessions) {
foreach ($Session in $Sessions) {
write-host "a session has been found coming from $($Session.ClientComputerName). The logged on user is $($Session.ClientUserName) with $($Session.NumOpens) opened sessions"
}
}
else {
write-host "No sessions found"
}
if ($Connections) {
foreach ($Connection in $Connections) {
write-host "a Connection has been found on $($Connection.ServerName). The logged on user is $($Connection.Username) with $($Connection.NumOpens) opened sessions"
}
}
else {
write-host "No sessions found"
}
And that’s it! as always, Happy PowerShelling. 🙂