Tips-Of-Mine/PowerHuntShares
Tips-Of-Mine/PowerHuntShares
2
0
Fork 0
mirror of https://github.com/NetSPI/PowerHuntShares.git synced 2025-05-05 03:38:42 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update Analyze-HuntSMBShares.ps1

Browse Source 
Added risk level to folder group page.
This commit is contained in:
Scott Sutherland 2024-08-07 13:17:21 -05:00 committed by GitHub
parent b4d2ce4c23
commit 5be7eb3615
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 33 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
Scripts/Analyze-HuntSMBShares.ps1
View File

@ -5,7 +5,7 @@
#-------------------------------------- #--------------------------------------
# Author: Scott Sutherland, 2024 NetSPI # Author: Scott Sutherland, 2024 NetSPI
# License: 3-clause BSD # License: 3-clause BSD
# Version: v1.63 # Version: v1.64
# References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell.
function Analyze-HuntSMBShares function Analyze-HuntSMBShares
{ {
@ -1580,7 +1580,7 @@ function Analyze-HuntSMBShares
$RiskLevelCountCritical = $ExcessiveSharePrivsFinal | where RiskLevel -eq 'Critical' | measure | select count -ExpandProperty count $RiskLevelCountCritical = $ExcessiveSharePrivsFinal | where RiskLevel -eq 'Critical' | measure | select count -ExpandProperty count
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Create Computer Insight Summary Information # Create Computer Insight Summary Information & Table Rows
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Reset global computer risk levels # Reset global computer risk levels
@ -1606,7 +1606,7 @@ function Analyze-HuntSMBShares
# Set target share name # Set target share name
$TargetComputers = $_.ComputerName $TargetComputers = $_.ComputerName
# Grab the risk level for the highest risk acl for the share name # Grab the risk level for the highest risk acl for the computer name
$ComputersTopACLRiskScore = $ExcessiveSharePrivsFinal | where ComputerName -eq $TargetComputers | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore $ComputersTopACLRiskScore = $ExcessiveSharePrivsFinal | where ComputerName -eq $TargetComputers | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore
# Check risk level - Highest wins # Check risk level - Highest wins
@ -1901,7 +1901,7 @@ function Analyze-HuntSMBShares
$SourceIps = (Get-NetIPAddress | where AddressState -like "*Pref*" | where AddressFamily -like "ipv4" | where ipaddress -notlike "127.0.0.1" | select IpAddress).ipaddress -join ("<br>") $SourceIps = (Get-NetIPAddress | where AddressState -like "*Pref*" | where AddressFamily -like "ipv4" | where ipaddress -notlike "127.0.0.1" | select IpAddress).ipaddress -join ("<br>")
$SourceHost = (hostname) $SourceHost = (hostname)
# Get share list string list # Get file group string list
$CommonShareFileGroupTopString = $CommonShareFileGroupTop5 | $CommonShareFileGroupTopString = $CommonShareFileGroupTop5 |
foreach { foreach {
$FileGroupName = $_.name $FileGroupName = $_.name
@ -1916,32 +1916,47 @@ function Analyze-HuntSMBShares
$ThisFileShareNameList = $ExcessiveSharePrivs | where FileListGroup -eq $FileGroupName | select ShareName -unique -expandproperty sharename | foreach { "$_ <br>"} $ThisFileShareNameList = $ExcessiveSharePrivs | where FileListGroup -eq $FileGroupName | select ShareName -unique -expandproperty sharename | foreach { "$_ <br>"}
$ThisFileShareNameListUniqueCount = $ThisFileShareNameList | measure | select count -ExpandProperty count $ThisFileShareNameListUniqueCount = $ThisFileShareNameList | measure | select count -ExpandProperty count
$ShareFileShareUnc = $ExcessiveSharePrivs | where FileListGroup -eq $FileGroupName | select SharePath -unique -expandproperty SharePath | foreach { "$_ <br>"} $ShareFileShareUnc = $ExcessiveSharePrivs | where FileListGroup -eq $FileGroupName | select SharePath -unique -expandproperty SharePath | foreach { "$_ <br>"}
# Grab the risk level for the highest risk acl for the foldergroup
$FolderGroupsTopACLRiskScoreRow = $ExcessiveSharePrivsFinal | where FileListGroup -eq $FileGroupName | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore
# Check risk level - Highest wins
If($FolderGroupsTopACLRiskScoreRow -le 4 ) { $RiskLevelFolderGroupResultRow = "Low"}
If($FolderGroupsTopACLRiskScoreRow -gt 4 -and $FolderGroupsTopACLRiskScoreRow -lt 11 ) { $RiskLevelFolderGroupResultRow = "Medium"}
If($FolderGroupsTopACLRiskScoreRow -ge 11 -and $FolderGroupsTopACLRiskScoreRow -lt 20 ) { $RiskLevelFolderGroupResultRow = "High"}
If($FolderGroupsTopACLRiskScoreRow -ge 20 ) { $RiskLevelFolderGroupResultRow = "Critical"}
# Set risk level for row
$FileGroupNameRiskLevelRow = "$FolderGroupsTopACLRiskScoreRow $RiskLevelFolderGroupResultRow"
$ThisRow = @" $ThisRow = @"
<tr> <tr>
<td> <td>
<!-- Unique Share Count -->
<button class="collapsible">$ThisFileShareNameListUniqueCount</button> <button class="collapsible">$ThisFileShareNameListUniqueCount</button>
<div class="content" style="font-size:11px;width:100px;"> <div class="content" style="font-size:11px;width:100px;">
$ThisFileShareNameList $ThisFileShareNameList
</div> </div>
</td> </td>
<td> <td>
<!-- Total Share Count -->
<button class="collapsible">$ThisFileShareCount</button> <button class="collapsible">$ThisFileShareCount</button>
<div class="content" style="font-size:11px;width:100px;"> <div class="content" style="font-size:11px;width:100px;">
$ShareFileShareUnc $ShareFileShareUnc
</div> </div>
</td> </td>
<td> <td> <!-- File Count -->
$FileGroupName
</td>
<td>
<button class="collapsible"><span style="color:#CE112D;"></span>$ThisFileCount Files</button> <button class="collapsible"><span style="color:#CE112D;"></span>$ThisFileCount Files</button>
<div class="content" style="font-size:11px;width:100px;"> <div class="content" style="font-size:11px;width:100px;">
$ThisFileList $ThisFileList
</div> </div>
</td> </td>
<td> <td> <!-- Risk Level -->
$AclBarF $FileGroupNameRiskLevelRow
</td> </td>
<td> <!-- Folder Group Name -->
$FileGroupName
</td>
</tr> </tr>
"@ "@
$ThisRow $ThisRow
@ -5552,14 +5567,14 @@ Folder groups are SMB shares that contain the exact same file listing. Each file
<div id="filterCounterTwo" style="margin-top:5px;">Loading...</div> <div id="filterCounterTwo" style="margin-top:5px;">Loading...</div>
<a style="font-size:11; margin-top: 5px; margin-left: 5px;" href="#" onclick="extractAndDownloadCSV('foldergrouptable', 1)">Export</a> <a style="font-size:11; margin-top: 5px; margin-left: 5px;" href="#" onclick="extractAndDownloadCSV('foldergrouptable', 1)">Export</a>
</div> </div>
<table class="table table-striped table-hover tabledrop" id="foldergrouptable" style="width:95%"> <table class="table table-striped table-hover tabledrop" id="foldergrouptable" style="width:95%;">
<thead> <thead>
<tr> <tr>
<th onclick="sortTable('foldergrouptable',0,'number')" align="left">Unique Share Names</th> <th onclick="sortTable('foldergrouptable',0,'number')" align="left" style="cursor: pointer;">Unique Share Names</th>
<th onclick="sortTable('foldergrouptable',1,'number')" align="left">Share Count</th> <th onclick="sortTable('foldergrouptable',1,'number')" align="left" style="cursor: pointer;">Share Count</th>
<th onclick="sortTable('foldergrouptable',2,'alpha')" align="left">File Group</th> <th onclick="sortTable('foldergrouptable',2,'number')" align="left" style="cursor: pointer;">File Count</th>
<th onclick="sortTable('foldergrouptable',3,'number')" align="left">File Count</th> <th onclick="sortTable('foldergrouptable',3,'number')" align="left" style="cursor: pointer;">Risk Level</th>
<th onclick="sortTable('foldergrouptable',4,'number')" align="left">Affected ACLs</th> <th onclick="sortTable('foldergrouptable',4,'alpha')" align="left" style="cursor: pointer;">File Group</th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>