So with the new SMBv3 Remote Code Execution issues codenamed “SMBGhost”. SMBGhost is an issue where an attack could gain remote code execution by exploiting a bug in SMB compression. A temporary fix is disabling SMB compression on the server side using this registry key:

1

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Microsoft has since released a patch (see this link for more info). We’ve decided to start monitoring SMB sessions on clients in any case. Normally speaking, no SMB sessions to a client should be open unless you are performing a remote installation using the ADMIN$ share. So it’s good practice to check if there are SMB sessions open and if so, where they are coming from. This is also a pretty cool trick to find who is hosting their own shares inside of your networks.

The Script

So its a fairly short script – it alerts on both currently opened sessions, and active SMB connections. There’s a difference between the both as you can connect to the IPC$ share, without having an active open session. In any case – I’d run this script every minute or less on all your workstations. Its quite lightweight and a great help to find bad actors in your environment.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

$Sessions = Get-smbsession
$Connections = get-smbconnection

if ($sessions) {
    foreach ($Session in $Sessions) {
        write-host "a session has been found coming from $($Session.ClientComputerName). The logged on user is $($Session.ClientUserName) with $($Session.NumOpens) opened sessions"
}
}
else {
write-host "No sessions found"
}

if ($Connections) {
    foreach ($Connection in $Connections) {
        write-host "a Connection has been found on $($Connection.ServerName). The logged on user is $($Connection.Username) with $($Connection.NumOpens) opened sessions"
}
}
else {
write-host "No sessions found"
}

And that’s it! as always, Happy PowerShelling. 🙂