From 5be7eb3615ca21f0b88e6f92c70cf841838185aa Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Wed, 7 Aug 2024 13:17:21 -0500 Subject: [PATCH] Update Analyze-HuntSMBShares.ps1 Added risk level to folder group page. --- Scripts/Analyze-HuntSMBShares.ps1 | 51 ++++++++++++++++++++----------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/Scripts/Analyze-HuntSMBShares.ps1 b/Scripts/Analyze-HuntSMBShares.ps1 index 6a42cc2..cbec3c2 100644 --- a/Scripts/Analyze-HuntSMBShares.ps1 +++ b/Scripts/Analyze-HuntSMBShares.ps1 @@ -5,7 +5,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.63 +# Version: v1.64 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Analyze-HuntSMBShares { @@ -1580,7 +1580,7 @@ function Analyze-HuntSMBShares $RiskLevelCountCritical = $ExcessiveSharePrivsFinal | where RiskLevel -eq 'Critical' | measure | select count -ExpandProperty count # ---------------------------------------------------------------------- - # Create Computer Insight Summary Information + # Create Computer Insight Summary Information & Table Rows # ---------------------------------------------------------------------- # Reset global computer risk levels @@ -1606,7 +1606,7 @@ function Analyze-HuntSMBShares # Set target share name $TargetComputers = $_.ComputerName - # Grab the risk level for the highest risk acl for the share name + # Grab the risk level for the highest risk acl for the computer name $ComputersTopACLRiskScore = $ExcessiveSharePrivsFinal | where ComputerName -eq $TargetComputers | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore # Check risk level - Highest wins @@ -1901,7 +1901,7 @@ function Analyze-HuntSMBShares $SourceIps = (Get-NetIPAddress | where AddressState -like "*Pref*" | where AddressFamily -like "ipv4" | where ipaddress -notlike "127.0.0.1" | select IpAddress).ipaddress -join ("
") $SourceHost = (hostname) - # Get share list string list + # Get file group string list $CommonShareFileGroupTopString = $CommonShareFileGroupTop5 | foreach { $FileGroupName = $_.name @@ -1916,32 +1916,47 @@ function Analyze-HuntSMBShares $ThisFileShareNameList = $ExcessiveSharePrivs | where FileListGroup -eq $FileGroupName | select ShareName -unique -expandproperty sharename | foreach { "$_
"} $ThisFileShareNameListUniqueCount = $ThisFileShareNameList | measure | select count -ExpandProperty count $ShareFileShareUnc = $ExcessiveSharePrivs | where FileListGroup -eq $FileGroupName | select SharePath -unique -expandproperty SharePath | foreach { "$_
"} + + # Grab the risk level for the highest risk acl for the foldergroup + $FolderGroupsTopACLRiskScoreRow = $ExcessiveSharePrivsFinal | where FileListGroup -eq $FileGroupName | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore + + # Check risk level - Highest wins + If($FolderGroupsTopACLRiskScoreRow -le 4 ) { $RiskLevelFolderGroupResultRow = "Low"} + If($FolderGroupsTopACLRiskScoreRow -gt 4 -and $FolderGroupsTopACLRiskScoreRow -lt 11 ) { $RiskLevelFolderGroupResultRow = "Medium"} + If($FolderGroupsTopACLRiskScoreRow -ge 11 -and $FolderGroupsTopACLRiskScoreRow -lt 20 ) { $RiskLevelFolderGroupResultRow = "High"} + If($FolderGroupsTopACLRiskScoreRow -ge 20 ) { $RiskLevelFolderGroupResultRow = "Critical"} + + # Set risk level for row + $FileGroupNameRiskLevelRow = "$FolderGroupsTopACLRiskScoreRow $RiskLevelFolderGroupResultRow" + $ThisRow = @" +
$ThisFileShareNameList
+
$ShareFileShareUnc
- - $FileGroupName - - +
$ThisFileList
- - - $AclBarF - + + + $FileGroupNameRiskLevelRow + + + $FileGroupName + "@ $ThisRow @@ -5552,14 +5567,14 @@ Folder groups are SMB shares that contain the exact same file listing. Each file
Loading...
Export - +
- - - - - + + + + +
Unique Share NamesShare CountFile GroupFile CountAffected ACLsUnique Share NamesShare CountFile CountRisk LevelFile Group