Find SMBv1 requests to the domain controllers

Recently i had to find what all clients exist in my domain who are still making SMBv1 requests to our DCs.Well, fist of all you’ll need to enable SMB auditing on all your Domain Controllers by running the following posershell commandlet

Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol

You could loop this through all DCs to enable auditing on all of them. Once auditing is enabled and you have waited long enough to let the event populate, run the following script. It queries all DCs for event ID 3000 and process the message through defined regular expression to give you name/IP of the client.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$filter = @{
ProviderName='Microsoft-Windows-SMBServer’
ID = 3000
StartTime =  [datetime]::Today.AddDays(-70)
EndTime = [datetime]::Today
}
$DCs = [system.directoryservices.activedirectory.Forest]::GetCurrentForest().domains | %{$_.DomainControllers.name}
foreach ($dc in $DCs){
$a = (Get-WinEvent -ComputerName $dc -FilterHashtable $filter)
$result= @()
foreach ($b in $a)
{
if($b.Message -match "Client Address: \S+" )
{
$c= $Matches[0]
$c = $c -replace "Client Address: ",""
$result =$result +  $c
}
}
$IP = $result | Sort-Object | Get-Unique
Write-Host "Destination:$DC Source:$IP "
}

Be the first to comment

Leave a Reply

Your email address will not be published.


*