diff --git a/Scripts/Analyze-HuntSMBShares.ps1 b/Scripts/Analyze-HuntSMBShares.ps1 index f64f4c0..43f3f28 100644 --- a/Scripts/Analyze-HuntSMBShares.ps1 +++ b/Scripts/Analyze-HuntSMBShares.ps1 @@ -5,7 +5,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.46 +# Version: v1.56 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Analyze-HuntSMBShares { @@ -1043,7 +1043,6 @@ function Analyze-HuntSMBShares #Write-Output " [*][$Time] - Summary report data generated." #Write-Output " [*][$Time] - $Top5ShareCountTotal of $AllAccessibleSharesCount ($DupPercent) shares are associated with the top $SampleSum share names." - # ---------------------------------------------------------------------- # Create Interesting Files Table # ---------------------------------------------------------------------- @@ -1310,123 +1309,6 @@ function Analyze-HuntSMBShares } | select | ForEach-Object { "'$_'" }) -join ", " $IFCategoryListCount = "[$IFCategoryList]" - - <# - - # Define list of words associated with sensitive data - $FileNamePatternsSecrets = $FileNamePatternsAll | where category -like "*Secret*" | select Keyword -ExpandProperty keyword - - # Define list of words associated with password files - $FileNamePatternsData = $FileNamePatternsAll | where category -like "*Sensitive*" | select Keyword -ExpandProperty keyword - - # Get a list of file names from each folder group for the target share name - $InterestingFilesAllFileNames = $ExcessiveSharePrivs | select FileList -Unique | foreach {$_.FileList -split "`r`n"} | Where-Object {$_ -ne ''} | foreach {$_.ToLower()}| select -Unique - - # Identify Secrets - $InterestingFilesAllSecrets = $FileNamePatternsSecrets | - foreach { - $TargetSecret = $_ - $InterestingFilesAllFileNames | - foreach { - if($_ -like "$TargetSecret"){ - - # return file name match - $_ - } - } - } - - # Create new secret files objects - $InterestingFilesAllSecretsObjects = $InterestingFilesAllSecrets | - foreach{ - - # Set target file - $TargetSecretFile = $_ - - # Filter for record with the target file - $TargetSecretMatches = $ExcessiveSharePrivs | where FileList -like "*$TargetSecretFile*" | select ComputerName,ShareName,SharePath -Unique - $TargetSecretMatches | - foreach { - - # Select the propertity and make new ones - $TargetSecretComputer = $_.ComputerName - $TargetSecretShareName = $_.ShareName - $TargetSecretSharePath = $_.SharePath - $TargetSecretUNCPath = "$TargetSecretSharePath\$TargetSecretFile" - $TargetSecretType = "Secrets" - - # Create updated object - $object = New-Object psobject - $object | add-member noteproperty ComputerName $TargetSecretComputer - $object | add-member noteproperty ShareName $TargetSecretShareName - $object | add-member noteproperty SharePath $TargetSecretSharePath - $object | add-member noteproperty UncPath $TargetSecretUNCPath - $object | add-member noteproperty FileName $TargetSecretFile - $object | add-member noteproperty DataType $TargetSecretType - - # Return object - $object - } - } | select ComputerName,ShareName,SharePath,UncPath,FileName,DataType -Unique - - # Identify Data - $InterestingFilesAllData = $FileNamePatternsData | - foreach { - $TargetSecret = $_ - $InterestingFilesAllFileNames | - foreach { - if($_ -like "$TargetSecret"){ - - # return file name match - $_ - } - } - } - - # Create new data files objects - $InterestingFilesAllDataObjects = $InterestingFilesAllData | - foreach{ - - # Set target file - $TargetSecretFile = $_ - - # Filter for record with the target file - $TargetSecretMatches = $ExcessiveSharePrivs | where FileList -like "*$TargetSecretFile*" | select ComputerName,ShareName,SharePath -Unique - $TargetSecretMatches | - foreach { - - # Select the propertity and make new ones - $TargetSecretComputer = $_.ComputerName - $TargetSecretShareName = $_.ShareName - $TargetSecretSharePath = $_.SharePath - $TargetSecretUNCPath = "$TargetSecretSharePath\$TargetSecretFile" - $TargetSecretType = "Sensitive" - - # Create updated object - $object = New-Object psobject - $object | add-member noteproperty ComputerName $TargetSecretComputer - $object | add-member noteproperty ShareName $TargetSecretShareName - $object | add-member noteproperty SharePath $TargetSecretSharePath - $object | add-member noteproperty UncPath $TargetSecretUNCPath - $object | add-member noteproperty FileName $TargetSecretFile - $object | add-member noteproperty DataType $TargetSecretType - - # Return object - $object - } - } | select ComputerName,ShareName,SharePath,UncPath,FileName,DataType -Unique - - # Combine objects - $InterestingFilesAllObjects = $InterestingFilesAllSecretsObjects + $InterestingFilesAllDataObjects - - - # Count objects - $InterestingFilesAllSecretsFullCount = $InterestingFilesAllSecretsObjects | measure | select count -ExpandProperty count - $InterestingFilesAllSecretsFullCountU = $InterestingFilesAllSecretsObjects | select FileName -Unique | measure | select count -ExpandProperty count - $InterestingFilesAllDataFullcount = $InterestingFilesAllDataObjects | measure | select count -ExpandProperty count - $InterestingFilesAllDataFullcountU = $InterestingFilesAllDataObjects | select FileName -Unique | measure | select count -ExpandProperty count - #> - # Outbout objects to file $InterestingFilesAllObjects | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Shares-Interesting-Files.csv" @@ -1638,13 +1520,13 @@ function Analyze-HuntSMBShares if($ShareRowHasWrite -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightWrite } # Write Access if($ShareRowHasRead -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightRead } # Read Access if($ShareRowHasEmpty -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightEmpty } # Empty Folders - if($ShareRowHasStale -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightStale } # Stake Folders + if($ShareRowHasStale -eq 1){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightStale } # Stake Folders - # Set Risk Score - If($ShareNameRiskValue -ge 11 ) { $RiskLevel = "High"} - If($ShareNameRiskValue -ge 20 ) { $RiskLevel = "Critical"} - If($ShareNameRiskValue -lt 11 ) { $RiskLevel = "Medium"} - If($ShareNameRiskValue -lt 4 ) { $RiskLevel = "Low"} + # Check risk level - Highest wins + If($ShareNameRiskValue -le 4 ) { $RiskLevel = "Low"} + If($ShareNameRiskValue -gt 4 -and $ShareNameRiskValue -lt 11 ) { $RiskLevel = "Medium"} + If($ShareNameRiskValue -ge 11 -and $ShareNameRiskValue -lt 20 ) { $RiskLevel = "High"} + If($ShareNameRiskValue -ge 20 ) { $RiskLevel = "Critical"} # Append new column to object $newObject = [PSCustomObject]@{ @@ -1695,7 +1577,108 @@ function Analyze-HuntSMBShares $RiskLevelCountLow = $ExcessiveSharePrivsFinal | where RiskLevel -eq 'Low' | measure | select count -ExpandProperty count $RiskLevelCountMedium = $ExcessiveSharePrivsFinal | where RiskLevel -eq 'Medium' | measure | select count -ExpandProperty count $RiskLevelCountHigh = $ExcessiveSharePrivsFinal | where RiskLevel -eq 'High' | measure | select count -ExpandProperty count - $RiskLevelCountCritical = $ExcessiveSharePrivsFinal | where RiskLevel -eq 'Critical' | measure | select count -ExpandProperty count + $RiskLevelCountCritical = $ExcessiveSharePrivsFinal | where RiskLevel -eq 'Critical' | measure | select count -ExpandProperty count + + # ---------------------------------------------------------------------- + # Create Computer Summary Information + # ---------------------------------------------------------------------- + # TBD + + + # ---------------------------------------------------------------------- + # Create Share Name Summary Information + # ---------------------------------------------------------------------- + + # Get unique share name count + $ShareNameChartCount = $ExcessiveSharePrivsFinal | where ShareName -ne "" | select ShareName -Unique | + foreach{ + if( ($_.sharename -ne 'SYSVOL') -and ($_.sharename -ne 'NETLOGON')) + { + $_ + } + } | measure | select count -ExpandProperty count + + # Get unique share count + $ShareNameChartCountUnique = $ExcessiveSharePrivsFinal | where ShareName -ne "" | + foreach{ + if( ($_.SharePath -notlike "\*SYSVOL") -and ($_.SharePath -notlike"\*NETLOGON")) + { + $_ + } + } | select SharePath -Unique | measure | select count -ExpandProperty count + + # Get share name severity + # Reivew ACLs for each share name, highest severity wins + $RiskLevelShareNameCountCritical = 0 + $RiskLevelShareNameCountHigh = 0 + $RiskLevelShareNameCountMedium = 0 + $RiskLevelShareNameCountLow = 0 + $ExcessiveSharePrivsFinal | where ShareName -ne "" | + foreach{ + + # filter out sysvol and netlogon + if( ($_.sharename -ne 'SYSVOL') -and ($_.sharename -ne 'NETLOGON')) + { + $_ + } + } | select ShareName -Unique | + foreach { + + # Set target share name + $TargetRiskShareName = $_.ShareName + + # Grab the risk level for the highest risk acl for the share name + $ShareNameTopACLRiskScore = $ExcessiveSharePrivsFinal | where ShareName -eq $TargetRiskShareName | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore + + # Check risk level - Highest wins + If($ShareNameTopACLRiskScore -le 4 ) { $RiskLevelShareNameResult = "Low"} + If($ShareNameTopACLRiskScore -gt 4 -and $ShareNameTopACLRiskScore -lt 11 ) { $RiskLevelShareNameResult = "Medium"} + If($ShareNameTopACLRiskScore -ge 11 -and $ShareNameTopACLRiskScore -lt 20 ) { $RiskLevelShareNameResult = "High"} + If($ShareNameTopACLRiskScore -ge 20 ) { $RiskLevelShareNameResult = "Critical"} + + # Increment counts + if($RiskLevelShareNameResult -eq "Low" ){$RiskLevelShareNameCountLow = $RiskLevelShareNameCountLow + 1} + if($RiskLevelShareNameResult -eq "Medium" ){$RiskLevelShareNameCountMedium = $RiskLevelShareNameCountMedium + 1} + if($RiskLevelShareNameResult -eq "High" ){$RiskLevelShareNameCountHigh = $RiskLevelShareNameCountHigh + 1} + if($RiskLevelShareNameResult -eq "Critical"){$RiskLevelShareNameCountCritical = $RiskLevelShareNameCountCritical + 1} + } + + # ---------------------------------------------------------------------- + # Create Folder Group Summary Information + # ---------------------------------------------------------------------- + $RiskLevelFolderGroupCountCritical = 0 + $RiskLevelFolderGroupCountHigh = 0 + $RiskLevelFolderGroupCountMedium = 0 + $RiskLevelFolderGroupCountLow = 0 + $FolderGroupChartCount = $ExcessiveSharePrivsFinal | select FileListGroup -Unique | measure | select count -ExpandProperty count # Unique folder group + $ExcessiveSharePrivsFinal | select FileListGroup -Unique | + foreach { + + # Set target share name + $TargetFileListGroup = $_.FileListGroup + + # Grab the risk level for the highest risk acl for the share name + $FileListGroupTopACLRiskScore = $ExcessiveSharePrivsFinal | where FileListGroup -eq $TargetFileListGroup | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore + + # Check risk level - Highest wins + If($FileListGroupTopACLRiskScore -le 4 ) { $RiskLevelFileListGroupResult = "Low"} + If($FileListGroupTopACLRiskScore -gt 4 -and $FileListGroupTopACLRiskScore -lt 11 ) { $RiskLevelFileListGroupResult = "Medium"} + If($FileListGroupTopACLRiskScore -ge 11 -and $FileListGroupTopACLRiskScore -lt 20 ) { $RiskLevelFileListGroupResult = "High"} + If($FileListGroupTopACLRiskScore -ge 20 ) { $RiskLevelFileListGroupResult = "Critical"} + + # Increment counts + if($RiskLevelFileListGroupResult -eq "Low" ){$RiskLevelFolderGroupCountLow = $RiskLevelFolderGroupCountLow + 1} + if($RiskLevelFileListGroupResult -eq "Medium" ){$RiskLevelFolderGroupCountMedium = $RiskLevelFolderGroupCountMedium + 1} + if($RiskLevelFileListGroupResult -eq "High" ){$RiskLevelFolderGroupCountHigh = $RiskLevelFolderGroupCountHigh + 1} + if($RiskLevelFileListGroupResult -eq "Critical"){$RiskLevelFolderGroupCountCritical = $RiskLevelFolderGroupCountCritical + 1} + } + + # select all interance + + # ---------------------------------------------------------------------- + # Create ACL Summary Information + # ---------------------------------------------------------------------- + # TBD # ---------------------------------------------------------------------- # Create Timeline Reports @@ -2622,107 +2605,58 @@ function Analyze-HuntSMBShares # Set default $ShareRowCountInteresting = "No" - # Check if interesting files - Secrets - # Files that may contain passwords, key, or other authentication tokens - $ShareRowInterestingFileListSecrets = "" - $ShareRowInterestingFileListSecretsCount = 0 - $ShareRowCountInterestingSecrets = "No" - - # Check for matches - $ShareRowInterestingFileListSecrets = foreach ($pattern in $FileNamePatternsSecrets) { - - # Parse the filenames for all shares with the target name into a list - # $FullFileListSim - define in above sections - - # Check if interesting file pattern matches the file name - $FullFileListSim | - foreach { - - # Reset exclude flag - $ExcludeThisFile = 0 + # Check if interesting files + # For each category generate count and list + $ShareNameInterestingFilesInsideHTML = "" + $ShareNameInterestingFilesOutsideHTML = "" + $FileNamePatternCategories | select Category -ExpandProperty Category | + foreach{ + + # Get category + $ShareNameCategoryName = $_ - # File to check - $CheckThisfileOut = $_ + # Get list of that sharename and category + $ShareNameCategoryFilesBase = $InterestingFilesAllObjects | Where ShareName -eq "$ShareName" | where Category -eq "$ShareNameCategoryName" | select FileName + $ShareNameCategoryFiles = $InterestingFilesAllObjects | Where ShareName -eq "$ShareName" | where Category -eq "$ShareNameCategoryName" | select FileName | ForEach-Object { $ASDF = $_.FileName; "$ASDF
" } | out-string - # Check if it should be excluded - $ImageFormats | - foreach{ - if($CheckThisfileOut -like "$_"){ - $ExcludeThisFile = 1 - } - } + # Get category count + $ShareNameCategoryFilesCount = $ShareNameCategoryFilesBase | measure | select count -expandproperty count - # Check if it matches pattern - if ($_ -like $pattern -and $ExcludeThisFile -eq 0) { - - # v1 add file name to link - "$_
" - - # v2 add hyperlinked sharepath that expands betwen the: file name %(count) - } + # Generate HTML with Category + if($ShareNameCategoryFilesCount -ne 0){ + $ShareNameInterestingFilesHTMLPrep = @" + +
+ $ShareNameCategoryFiles +
+"@ + # Add to code block + $ShareNameInterestingFilesInsideHTML = $ShareNameInterestingFilesInsideHTML + $ShareNameInterestingFilesHTMLPrep } - } - - $ShareRowInterestingFileListSecrets = $ShareRowInterestingFileListSecrets | select -Unique | sort + } - # Count number of interesting files and update status - $ShareRowInterestingFileListSecretsCount = $ShareRowInterestingFileListSecrets | select -Unique | sort | Measure | select count -ExpandProperty count - if( $ShareRowInterestingFileListSecretsCount -gt 0){ - $ShareRowCountInterestingSecrets = "Yes" - $ShareRowCountInteresting = "Yes" + # Get total for interesting files for target share name + $ShareNameInterestingFilesCount = $InterestingFilesAllObjects | Where ShareName -eq "$ShareName" | measure | select count -expandproperty count + if($ShareNameInterestingFilesCount -gt 0){ + $ShareRowCountInteresting = "Yes" + }else{ + $ShareRowCountInteresting = "No" } - # Check if interesting files - Sensitive Data - $ShareRowInterestingFileListData = "" - $ShareRowInterestingFileListDataCount = 0 - $ShareRowCountInterestingData = "No" + # Get secrets count + $ShareRowInterestingFileListSecretsCount = $InterestingFilesAllObjects | Where ShareName -eq "$ShareName" | Where Category -eq "Secret" | measure | select count -expandproperty count - # Check for matches - $ShareRowInterestingFileListData = foreach ($pattern in $FileNamePatternsData) { - - # Parse the filenames for all shares with the target name into a list - # $FullFileListSim - define in above sections - - # Check if interesting file pattern matches the file name - $FullFileListSim | - foreach { - - # Reset exclude flag - $ExcludeThisFile = 0 - - # File to check - $CheckThisfileOut = $_ - - # Check if it should be excluded - $ImageFormats | - foreach{ - if($CheckThisfileOut -like "$_"){ - $ExcludeThisFile = 1 - } - } - - if ($_ -like $pattern-and $ExcludeThisFile -eq 0) { - - - # v1 add file name to link - "$_
" - - # v2 add hyperlinked sharepath that expands betwen the: file name %(count) - } - } - } + # Get sensitive count + $ShareRowInterestingFileListDataCount = $InterestingFilesAllObjects | Where ShareName -eq "$ShareName" | Where Category -eq "Sensitive" | measure | select count -expandproperty count + + # Build final interesting file html for share names page + $ShareNameInterestingFilesOutsideHTML = @" + +
+ $ShareNameInterestingFilesInsideHTML +
+"@ - $ShareRowInterestingFileListData = $ShareRowInterestingFileListData | select -Unique | sort - - # Count number of interesting files and update status - $ShareRowInterestingFileListDataCount = $ShareRowInterestingFileListData | select -Unique | sort | Measure | select count -ExpandProperty count - if( $ShareRowInterestingFileListDataCount -gt 0){ - $ShareRowCountInterestingData = "Yes" - $ShareRowCountInteresting = "Yes" - } - - $ShareRowInterestingFileTotalCount = $ShareRowInterestingFileListDataCount + $ShareRowInterestingFileListSecretsCount - # Build coverage icon set $CoverageIcons = "" if($ShareRowHasHighRisk -eq "Yes"){ $CoverageIcons = $CoverageIcons + "
H
Highly Exploitable
 " } @@ -2742,66 +2676,20 @@ function Analyze-HuntSMBShares # Calculate Risk Level # ---------------------------------------------------------------------- - # Define Weights + # Grab the risk level for the highest risk acl for the share name + $ShareNameTopACLRiskScore = $ExcessiveSharePrivsFinal | where ShareName -eq $ShareName | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore - $RiskWeightRCE = 11 - - $RiskWeightData = 8 - $RiskWeightDataVolume = 1 - - $RiskWeightSecrets = 2 - $RiskWeightSecretsVolume = 1 - - $RiskWeightWrite = 4 - $RiskWeightRead = 3 - - $RiskWeightLargeVolume = 1 - $RiskWeightOfficeDocs = 1 # TBD; Placeholder - - $RiskWeightEmpty = -1 - $RiskWeightStale = -1 - - # Calculate Actual Value - $ShareNameRiskValue = 0 - if($ShareRowHasHighRisk -eq "Yes"){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightRCE } # Potential RCE - if($ShareRowCountInterestingData -eq "Yes"){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightData } # Potential Sensitive Data - if($ShareRowInterestingFileListDataCount -gt 10 ){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightDataVolume } # Potential Sensitive Data Volume - if($ShareRowCountInterestingSecrets -eq "Yes"){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightSecrets } # Potential Password Access - if($ShareRowInterestingFileListDataCount -gt 10 ){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightSecretsVolume } # Potential Sensitive Data Volume - if($ShareRowHasWrite -eq "Yes"){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightWrite } # Write Access - if($ShareRowHasRead -eq "Yes"){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightRead } # Read Access - if($SimularityFileCommonListTopNum -gt 100 ){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightLargeVolume } # Large number of common files - if($ShareRowHasEmpty -eq "Yes"){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightEmpty } # Empty Folders - if($ShareRowHasStale -eq "Yes"){ $ShareNameRiskValue = $ShareNameRiskValue + $RiskWeightStale } # Stake Folders - - # Set Risk Score - If($ShareNameRiskValue -ge 11 ) { $RiskLevel = "$ShareNameRiskValue High"} - If($ShareNameRiskValue -ge 20 ) { $RiskLevel = "$ShareNameRiskValue Very High"} - If($ShareNameRiskValue -lt 11 ) { $RiskLevel = "$ShareNameRiskValue Medium"} - If($ShareNameRiskValue -lt 4 ) { $RiskLevel = "$ShareNameRiskValue Low"} - - <# - # Determine Max Value - $ShareNameRiskMax = $RiskWeightRCE + - $RiskWeightData + - $RiskWeightDataVolume + - $RiskWeightSecrets + - $RiskWeightSecretsVolume + - $RiskWeightWrite + - $RiskWeightRead + - $RiskWeightLargeVolume - - # Calculate Score - $ShareNameRiskScore = $ShareNameRiskValue / $ShareNameRiskMax - $ShareNameRiskScoreP1 = [math]::round(($ShareNameRiskScore.tostring("P") -replace('%',''))) - $ShareNameRiskScoreP = "$ShareNameRiskScoreP1%" - - # Set Risk Score - If($ShareNameRiskScore -ge .80){ $RiskLevel = "$ShareNameRiskScoreP High"} - If($ShareNameRiskScore -ge .95){ $RiskLevel = "$ShareNameRiskScoreP Very High"} - If($ShareNameRiskScore -lt .80){ $RiskLevel = "$ShareNameRiskScoreP Medium"} - If($ShareNameRiskScore -lt .50){ $RiskLevel = "$ShareNameRiskScoreP Low"} - #> + # Check risk level - Highest wins + If($ShareNameTopACLRiskScore -le 4 ) { $RiskLevelShareNameResult = "Low"} + If($ShareNameTopACLRiskScore -gt 4 -and $ShareNameTopACLRiskScore -lt 11 ) { $RiskLevelShareNameResult = "Medium"} + If($ShareNameTopACLRiskScore -ge 11 -and $ShareNameTopACLRiskScore -lt 20 ) { $RiskLevelShareNameResult = "High"} + If($ShareNameTopACLRiskScore -ge 20 ) { $RiskLevelShareNameResult = "Critical"} + + # Set final risk level + if($RiskLevelShareNameResult -eq "Low" ){$RiskLevel = "$ShareNameTopACLRiskScore Low"} + if($RiskLevelShareNameResult -eq "Medium" ){$RiskLevel = "$ShareNameTopACLRiskScore Medium"} + if($RiskLevelShareNameResult -eq "High" ){$RiskLevel = "$ShareNameTopACLRiskScore High"} + if($RiskLevelShareNameResult -eq "Critical"){$RiskLevel = "$ShareNameTopACLRiskScore Critical"} # ---------------------------------------------------------------------- # Build UNC Path Lists @@ -3038,24 +2926,7 @@ function Analyze-HuntSMBShares - - -
- -
- - $ShareRowInterestingFileListSecrets -
- -
- - -
- - $ShareRowInterestingFileListData -
-
-
+ $ShareNameInterestingFilesOutsideHTML "@ @@ -4377,7 +4248,7 @@ input[type="checkbox"]:checked::before {
Interesting File Names Found
-
+


$InterestingFilesAllFilesCount @@ -4408,15 +4279,14 @@ input[type="checkbox"]:checked::before {
-
-
- -
Clear
-
-
Loading...
-
Export
+
+ +
Clear
+
+
+
Loading...
+ Export
-
@@ -5164,25 +5034,67 @@ Below is a summary of the exposure associated with each of those groups.
-

Share Names (Top $SampleSum)

+

Share Names (Top 100)

This section contains a list of the most common SMB share names. In some cases, shares with the exact same name may be related to a single application or process. This information can help identify the root cause associated with the excessive privileges and expedite remediation.
-
- -   Quick Filters - + + +
+ +
+ Shares Found +
+
+


+ + $ShareNameChartCountUnique +
($ShareNameChartCount unique share names found) +
+ +
+ +
+
+ Share Name Count by Risk Level +
+
+
+
+
+
+
+
+ + +
+
+ Exposed File Count by Category +
+
+
+
+
+
+
+
+ +
+ +
Quick Filters
+ -
Loading...
- -
-
+
+
+
Loading...
+ Export +
@@ -5291,14 +5203,54 @@ This section lists the most common share owners.
-

Folder Groups (Top $SampleSum)

+

Folder Groups (Top 100)

Folder groups are SMB shares that contain the exact same file listing. Each file group has been hashed so they can be quickly correlated. In some cases, shares with the exact same file listing may be related to a single application or process. This information can help identify the root cause associated with the excessive privileges and expedite remediation.
-
- -
Clear
+ +
+ +
+ Folder Groups Found +
+
+


+ + $FolderGroupChartCount +
+ +
+ +
+
+ Folder Group Count by Risk Level +
+
+
+
+
+
+
+
+ + + +
+
+ Exposed File Count by Category +
+
+
+
+
+
+
+
+ +
+ +
Clear
-
Loading...
- +

+
+
+
Loading...
+ Export
-
@@ -5783,7 +5737,183 @@ Invoke-HuntSMBShares -Threads 20 -RunSpaceTimeOut 10 -OutputDirectory c:\folder\