PrivescCheck
PrivescCheck copied to clipboard
Check SMB signing required
PrivescCheck covers the majority of the host checks I'd perform except SMB signing, which is often useful to know, especially as there are a bunch of different and whacky (like https://github.com/nccgroup/Change-Lockscreen) ways to coerce a SYSTEM/user account to authenticate to a capture/relay server.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
I've written a reference implementation below. I reckon it should probably be in the -Extended category?
function Get-SMBSigningStatus {
# NOTE: The EnableSecuritySignature registry setting for SMB2+ client and SMB2+ server is ignored.
# Therefore, this setting does nothing unless you're using SMB1. So we only care about RequireSecuritySignature.
# https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/overview-server-message-block-signing
$SmbClientSettingsPath = "HKLM:\SYSTEM\CurrentControlSet\Services\LanManWorkstation\Parameters"
$SmbServerSettingsPath = "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters"
# Check if the registry value exists
if (Test-Path $SmbClientSettingsPath) {
$value = Get-ItemPropertyValue -Path $SmbClientSettingsPath -Name "RequireSecuritySignature" -ErrorAction SilentlyContinue
$status = if ($value -eq 1) { "Required" } else { "NOT Required" }
Write-Output "SMB Client signing is $status."
} else {
Write-Output "SMB Client signing settings not found"
}
# Check if the registry value exists
if (Test-Path $SmbServerSettingsPath) {
$value = Get-ItemPropertyValue -Path $SmbServerSettingsPath -Name "RequireSecuritySignature" -ErrorAction SilentlyContinue
$status = if ($value -eq 1) { "Required" } else { "NOT Required" }
Write-Output "SMB Server signing is $status."
} else {
Write-Output "SMB Server signing settings not found"
}
}
Get-SMBSigningStatus