
Recently i had to find what all clients exist in my domain who are still making SMBv1 requests to our DCs.Well, fist of all you’ll need to enable SMB auditing on all your Domain Controllers by running the following posershell commandlet
Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol
You could loop this through all DCs to enable auditing on all of them. Once auditing is enabled and you have waited long enough to let the event populate, run the following script. It queries all DCs for event ID 3000 and process the message through defined regular expression to give you name/IP of the client.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | $filter = @{ ProviderName='Microsoft-Windows-SMBServer’ ID = 3000 StartTime = [datetime]::Today.AddDays(-70) EndTime = [datetime]::Today } $DCs = [system.directoryservices.activedirectory.Forest]::GetCurrentForest().domains | %{$_.DomainControllers.name} foreach ($dc in $DCs){ $a = (Get-WinEvent -ComputerName $dc -FilterHashtable $filter) $result= @() foreach ($b in $a) { if($b.Message -match "Client Address: \S+" ) { $c= $Matches[0] $c = $c -replace "Client Address: ","" $result =$result + $c } } $IP = $result | Sort-Object | Get-Unique Write-Host "Destination:$DC Source:$IP " } |
Leave a Reply