Check SMB signing required

[Acebond]

PrivescCheck covers the majority of the host checks I'd perform except SMB signing, which is often useful to know, especially as there are a bunch of different and whacky (like https://github.com/nccgroup/Change-Lockscreen) ways to coerce a SYSTEM/user account to authenticate to a capture/relay server.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing

I've written a reference implementation below. I reckon it should probably be in the -Extended category?

function Get-SMBSigningStatus {
# NOTE: The EnableSecuritySignature registry setting for SMB2+ client and SMB2+ server is ignored.
# Therefore, this setting does nothing unless you're using SMB1. So we only care about RequireSecuritySignature.
# https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing

    $SmbClientSettingsPath = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManWorkstation\Parameters"
    $SmbServerSettingsPath = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"

    # Check if the registry value exists
    if (Test-Path $SmbClientSettingsPath) {

        $value = Get-ItemPropertyValue -Path $SmbClientSettingsPath -Name "RequireSecuritySignature" -ErrorAction SilentlyContinue
        $status = if ($value -eq 1) { "Required" } else { "NOT Required" }
        Write-Output "SMB Client signing is $status."

    } else {

        Write-Output "SMB Client signing settings not found"
    }


    # Check if the registry value exists
    if (Test-Path $SmbServerSettingsPath) {

        $value = Get-ItemPropertyValue -Path $SmbServerSettingsPath -Name "RequireSecuritySignature" -ErrorAction SilentlyContinue
        $status = if ($value -eq 1) { "Required" } else { "NOT Required" }
        Write-Output "SMB Server signing is $status."

    } else {

        Write-Output "SMB Server signing settings not found"
    }

}

Get-SMBSigningStatus