From 4b0b133d43440ad16ccc456a64a0b25d5dff9812 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Mon, 14 Oct 2024 16:04:53 -0500 Subject: [PATCH] Update PowerHuntShares.psm1 Fixed bugs. --- PowerHuntShares.psm1 | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/PowerHuntShares.psm1 b/PowerHuntShares.psm1 index 4f62cc7..7678699 100644 --- a/PowerHuntShares.psm1 +++ b/PowerHuntShares.psm1 @@ -4,7 +4,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.175 +# Version: v1.176 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Invoke-HuntSMBShares { @@ -2206,7 +2206,7 @@ function Invoke-HuntSMBShares # Check for potential read based RCE conditions if(($_.ShareName -like 'c$') -or ($_.ShareName -like 'admin$') -or ($_.ShareName -like "*wwwroot*") -or ($_.ShareName -like "*inetpub*") -or ($_.ShareName -like 'c') -or ($_.ShareName -like 'c_share')) { - $ShareRowHasHighRisk = 1 + $ShareRowHasHighRisk = 1 }else{ $ShareRowHasHighRisk = 0 } @@ -2279,12 +2279,12 @@ function Invoke-HuntSMBShares # Set wieghts $RiskWeightRCE = 2 - $RiskWeightHR = 9 # Potential RCE - no write access + $RiskWeightHR = 16 # Known high risk Potential RCE - no write access - consider reverting to 9. $RiskWeightData = 8 $RiskWeightDataVolume = 1 $RiskWeightSecrets = 2 $RiskWeightSecretsVolume = 1 - $RiskWeightWrite = 4 + $RiskWeightWrite = 5 # consider reverting to 4 $RiskWeightRead = 3 $RiskWeightEmpty = -1 $RiskWeightStale = -1 @@ -2292,7 +2292,7 @@ function Invoke-HuntSMBShares # Calculate Risk Score $ShareNameRiskValue = 0 if($ShareRowHasRCE -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightRCE } # RCE - if($ShareRowHasHighRisk -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightHR } # Potential RCE + if($ShareRowHasHighRisk -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightHR } # Known high risk if($ShareRowCountInterestingData -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightData } # Potential Sensitive Data if($MySensitiveCount -gt 10){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightDataVolume } # Potential Sensitive Data Volume if($ShareRowCountInterestingSecrets -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightSecrets } # Potential Password Access @@ -2302,6 +2302,11 @@ function Invoke-HuntSMBShares if($ShareRowHasEmpty -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightEmpty } # Empty Folders if($ShareRowHasStale -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightStale } # Stake Folders + # Adjust for sub 0 if (shouldnt happen) + if($ShareNameRiskValue -lt 0){ + $ShareNameRiskValue = 1 + } + # Check risk level - Highest wins If($ShareNameRiskValue -le 4 ) { $RiskLevel = "Low"} If($ShareNameRiskValue -gt 4 -and $ShareNameRiskValue -lt 11 ) { $RiskLevel = "Medium"}