From 03e50db10b65e87205ca59179accb14dd4158b8e Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Wed, 12 Jun 2024 15:52:21 -0500 Subject: [PATCH] Update PowerHuntShares.psm1 Updated the share similarity probability distribution weights. --- PowerHuntShares.psm1 | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/PowerHuntShares.psm1 b/PowerHuntShares.psm1 index b9ce956..2331e37 100644 --- a/PowerHuntShares.psm1 +++ b/PowerHuntShares.psm1 @@ -4,7 +4,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.57 +# Version: v1.58 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Invoke-HuntSMBShares { @@ -1720,6 +1720,11 @@ function Invoke-HuntSMBShares # Get % the file group represents for the share $fgpercentage = [math]::Round($_.count/$ShareFolderGroupCount,4) + # If it's 30% or great flip the bit + if($fgpercentage -ge .3){ + $SimularityCalOver30 = 1 + } + # If it's 50% or great flip the bit if($fgpercentage -ge .5){ $SimularityCalc50P = 1 @@ -1738,21 +1743,25 @@ function Invoke-HuntSMBShares # Calculate combined similarity score # WeightFileGroup = 4 - # WeightFiftyP = 3 + # Weightfg50 = 3 + # Weightfg30 = 2 # WeightFgOwnerAvg = 2 # WeightCreate = 1 # WeightLastMod = 1 # condense into 0-1, low (0-.50), medium(.51-.80), high similary (.81-1) $SimularityCalcShareFgFinal = $SimularityCalcShareFg * 4 # File group ratio - $SimularityCalc50PFinal = $SimularityCalc50P * 3 # A file group exists with 50% or more + $SimularityCalc50PFinal = $SimularityCalc50P * 3 # A file group exists that represent 50% or more of the fg population for the sharename + $SimularityCalOver30Final = $SimularityCalOver30 * 2 # A file group exists that represent 30% or more of the fg population for the sharename + # File coverage does any given file exist in all fg groups...or over 80% + # Create list of all filename, count, divide by the totalfg groups $SimularityCalcFGOwnerAvgFinal = $SimularityCalcFGOwnerAvg * 2 # Owner to share file group ratio average $SimularityCalcCreateDateFinal = $SimularityCalcCreateDate * 1 # Share to creation date ratio $SimularityCalcLastModDateFinal = $SimularityCalcLastModDate * 1 # Share to modification date ratio - # Max is 4 + 3 + 2 + 1 + 1 = 11; Min is 0 - $SimilarityTotal = $SimularityCalcShareFgFinal + $SimularityCalc50PFinal + $SimularityCalcFGOwnerAvgFinal +$SimularityCalcCreateDateFinal + $SimularityCalcLastModDateFinal - $SimilarityScore = $SimilarityTotal / 11 + # Max is 4 + 3 + 2 + 2 + 1 + 1 = 13; Min is 0 + $SimilarityTotal = $SimularityCalcShareFgFinal + $SimularityCalc50PFinal + $SimularityCalOver30Final + $SimularityCalcFGOwnerAvgFinal +$SimularityCalcCreateDateFinal + $SimularityCalcLastModDateFinal + $SimilarityScore = $SimilarityTotal / 13 $SimilarityScoreP1 = [math]::round(($SimilarityScore.tostring("P") -replace('%',''))) $SimilarityScoreP = "$SimilarityScoreP1%" If($SimilarityScore -gt .80){ $SimLevel = "High"} @@ -1891,7 +1900,7 @@ function Invoke-HuntSMBShares
- Normalized Ratio Details
+ Probability Distributions
@@ -1903,8 +1912,11 @@ function Invoke-HuntSMBShares - + + + + @@ -2114,7 +2126,7 @@ $NewHtmlReport = @" .stuff:hover{ font-weight: normal; - background-color:#555555; + background-color:#17405A; text-decoration: none; padding-top:5px; padding-bottom:5px; @@ -2124,7 +2136,7 @@ $NewHtmlReport = @" .stuff:active { font-weight: normal; - background-color:#5D5C5C; + background-color:#25648C; width:auto; padding-left: 15px; color: white; @@ -3071,7 +3083,7 @@ $NewHtmlReport = @"
- +
FolderGroup: $SimularityCalcShareFgOwner: $SimularityCalcShareOwner
MajorityExists: $SimularityCalc50P30% FG: $SimularityCalOver30
50% FG: $SimularityCalc50P
Created: $SimularityCalcCreateDate