The script helps you hardening Net Session Enumeration.
You can also revert back the netcease by defining the "Revert" varible in script.
Eg:
Revert="YES" # reverts back the netcease
Run the script as "System user"
Revert="YES"
Revert=Revert.upper()
ps_content=r'''
param([switch]$Revert)
function IsAdministrator
{
param()
$currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
(New-Object Security.Principal.WindowsPrincipal($currentUser)).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
}
function BackupRegistryValue
{
param([string]$key, [string]$name)
$backup = $name+'Backup'
#Backup original Key value if needed
$regKey = Get-Item -Path $key
$backupValue = $regKey.GetValue($backup, $null)
$originalValue = $regKey.GetValue($name, $null)
if (($backupValue -eq $null) -and ($originalValue -ne $null))
{
Set-ItemProperty -Path $key -Name $backup -Value $originalValue
}
return $originalValue
}
function RevertChanges
{
param([string]$key,[string]$name)
$backup = $name+'Backup'
$regKey = Get-Item -Path $key
#Backup original Key value if needed
$backupValue = $regKey.GetValue($backup, $null)
Write-Host "Reverting changes..."
if ($backupValue -eq $null)
{
#Delete the value when no backed up value is found
Write-Host "Backup value is missing. cannot revert changes"
}
elseif ($backupValue -ne $null)
{
Write-Verbose "Backup value: $backupValue"
Set-ItemProperty -Path $key -Name $name -Value $backupValue
Remove-ItemProperty -Path $key -Name $backup
}
Write-Host "Revert completed"
}
if (-not (IsAdministrator))
{
Write-Host "This script requires administrative rights, please run as administrator."
exit
}
#NetSessionEnum SecurityDescriptor Registry Key
$key = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity"
$name = "SrvsvcSessionInfo"
$SRVSVC_SESSION_USER_INFO_GET = 0x00000001
if ($Revert)
{
RevertChanges -key $key -name $name
Write-Host "In order for the reverting to take effect, please restart the Server service"
exit
}
#Backup original Key value if needed
$srvSvcSessionInfo = BackupRegistryValue -key $key -name $name
#Load the SecurityDescriptor
$csd = New-Object -TypeName System.Security.AccessControl.CommonSecurityDescriptor -ArgumentList $true,$false, $srvSvcSessionInfo,0
#Remove Authenticated Users Sid permission entry from its DiscretionaryAcl (DACL)
$authUsers = [System.Security.Principal.WellKnownSidType]::AuthenticatedUserSid
$authUsersSid = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $authUsers, $null
$csd.DiscretionaryAcl.RemoveAccessSpecific([System.Security.AccessControl.AccessControlType]::Allow, $authUsersSid,$SRVSVC_SESSION_USER_INFO_GET, 0,0)
#Add Access Control Entry permission for Interactive Logon Sid
$wkt = [System.Security.Principal.WellKnownSidType]::InteractiveSid
$interactiveUsers = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $wkt, $null
$csd.DiscretionaryAcl.AddAccess([System.Security.AccessControl.AccessControlType]::Allow, $interactiveUsers, $SRVSVC_SESSION_USER_INFO_GET,0,0)
#Add Access Control Entry permission for Service Logon Sid
$wkt = [System.Security.Principal.WellKnownSidType]::ServiceSid
$serviceLogins = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $wkt, $null
$csd.DiscretionaryAcl.AddAccess([System.Security.AccessControl.AccessControlType]::Allow, $serviceLogins, $SRVSVC_SESSION_USER_INFO_GET,0,0)
#Add Access Control Entry permission for Batch Logon Sid
$wkt = [System.Security.Principal.WellKnownSidType]::BatchSid
$BatchLogins = New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $wkt, $null
$csd.DiscretionaryAcl.AddAccess([System.Security.AccessControl.AccessControlType]::Allow, $BatchLogins, $SRVSVC_SESSION_USER_INFO_GET,0,0)
#Update the SecurityDescriptor in the Registry with the updated DACL
$data = New-Object -TypeName System.Byte[] -ArgumentList $csd.BinaryLength
$csd.GetBinaryForm($data,0)
Set-ItemProperty -Path $key -Name $name -Value $data
Write-Host "Permissions successfully updated"
Write-Host "In order for the hardening to take effect, please restart the Server service"
'''
import os
def ecmd(command):
import ctypes
from subprocess import PIPE, Popen
class disable_file_system_redirection:
_disable = ctypes.windll.kernel32.Wow64DisableWow64FsRedirection
_revert = ctypes.windll.kernel32.Wow64RevertWow64FsRedirection
def __enter__(self):
self.old_value = ctypes.c_long()
self.success = self._disable(ctypes.byref(self.old_value))
def __exit__(self, type, value, traceback):
if self.success:
self._revert(self.old_value)
with disable_file_system_redirection():
obj = Popen(command, shell = True, stdout = PIPE, stderr = PIPE)
out, err = obj.communicate()
ret=obj.returncode
if ret==0:
if out:
return out.strip()
else:
return ret
else:
if err:
return err.strip()
else:
return ret
file_name='powershell_file.ps1'
file_path=os.path.join(os.environ['TEMP'], file_name)
with open(file_path, 'wb') as wr:
wr.write(ps_content)
ecmd('powershell "Set-ExecutionPolicy RemoteSigned"')
if Revert=="YES":
print ecmd('powershell "%s" -revert'%file_path)
else:
print ecmd('powershell "%s"'%file_path)
os.remove(file_path)