From 6b5bf17a7db4df386f6963d77e211da46cff0fd8 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Thu, 12 Sep 2024 09:41:51 -0500 Subject: [PATCH] Update Analyze-HuntSMBShares.ps1 Added new risk chart. --- Scripts/Analyze-HuntSMBShares.ps1 | 202 +++++++++++++++++++++--------- 1 file changed, 142 insertions(+), 60 deletions(-) diff --git a/Scripts/Analyze-HuntSMBShares.ps1 b/Scripts/Analyze-HuntSMBShares.ps1 index 7d868c9..25777fd 100644 --- a/Scripts/Analyze-HuntSMBShares.ps1 +++ b/Scripts/Analyze-HuntSMBShares.ps1 @@ -5,7 +5,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.84 +# Version: v1.85 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Analyze-HuntSMBShares { @@ -1890,6 +1890,63 @@ function Analyze-HuntSMBShares $ComputerTableRows = $ComputerTableRows + $ComputerTableRow } + # ---------------------------------------------------------------------- + # Create Share Summary Information + # ---------------------------------------------------------------------- + + # Get share path count + $SharePathChartCount = $ExcessiveSharePrivsFinal | where SharePath -ne "" | + foreach{ + if( ($_.sharename -ne 'SYSVOL') -and ($_.sharename -ne 'NETLOGON')) + { + $_ + } + } | select SharePath -Unique | measure | select count -ExpandProperty count + + # Get share path severity + # Reivew ACLs for each share path, highest severity wins + $RiskLevelSharePathCountCritical = 0 + $RiskLevelSharePathCountHigh = 0 + $RiskLevelSharePathCountMedium = 0 + $RiskLevelSharePathCountLow = 0 + $ExcessiveSharePrivsFinal | where SharePath -ne "" | + foreach{ + + # filter out sysvol and netlogon + if( ($_.SharePath -ne 'SYSVOL') -and ($_.SharePath -ne 'NETLOGON')) + { + $_ + } + } | select SharePath -Unique | + foreach { + + # Set target share name + $TargetRiskSharePath = $_.SharePath + + # Grab the risk level for the highest risk acl for the share name + $SharePathTopACLRiskScore = $ExcessiveSharePrivsFinal | where SharePath -eq $TargetRiskSharePath | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore + + # Check risk level - Highest wins + If($SharePathTopACLRiskScore -le 4 ) { $RiskLevelSharePathResult = "Low"} + If($SharePathTopACLRiskScore -gt 4 -and $SharePathTopACLRiskScore -lt 11 ) { $RiskLevelSharePathResult = "Medium"} + If($SharePathTopACLRiskScore -ge 11 -and $SharePathTopACLRiskScore -lt 20 ) { $RiskLevelSharePathResult = "High"} + If($SharePathTopACLRiskScore -ge 20 ) { $RiskLevelSharePathResult = "Critical"} + + # Increment counts + if($RiskLevelSharePathResult -eq "Low" ){$RiskLevelSharePathCountLow = $RiskLevelSharePathCountLow + 1} + if($RiskLevelSharePathResult -eq "Medium" ){$RiskLevelSharePathCountMedium = $RiskLevelSharePathCountMedium + 1} + if($RiskLevelSharePathResult -eq "High" ){$RiskLevelSharePathCountHigh = $RiskLevelSharePathCountHigh + 1} + if($RiskLevelSharePathResult -eq "Critical"){$RiskLevelSharePathCountCritical = $RiskLevelSharePathCountCritical + 1} + } + + # Counts + <# + $RiskLevelSharePathCountLow + $RiskLevelSharePathCountMedium + $RiskLevelSharePathCountHigh + $RiskLevelSharePathCountCritical + #> + # ---------------------------------------------------------------------- # Create Share Name Summary Information # ---------------------------------------------------------------------- @@ -5034,9 +5091,7 @@ input[type="checkbox"]:checked::before {
- - - +
@@ -8980,7 +9035,6 @@ const ChartSharePageIFOptions = { } } }; - const ChartSharePageIF = new ApexCharts(document.querySelector("#ChartSharePageIF"), ChartSharePageIFOptions); ChartSharePageIF.render(); @@ -9064,7 +9118,7 @@ const ChartDashboardIFOptions = { }], chart: { type: 'bar', - height: 250 + height: 300 }, plotOptions: { bar: { @@ -9106,6 +9160,88 @@ const ChartDashboardIFOptions = { const ChartDashboardIF = new ApexCharts(document.querySelector("#ChartDashboardIF"), ChartDashboardIFOptions); ChartDashboardIF.render(); +// -------------------------- +// Dashboard Page: Risk Level chart +// -------------------------- + +// Set data series +var DataSeriesComputers = [$RiskLevelComputersCountLow, $RiskLevelComputersCountMedium, $RiskLevelComputersCountHigh, $RiskLevelComputersCountCritical]; +var DataSeriesShares = [$RiskLevelSharePathCountLow, $RiskLevelSharePathCountMedium, $RiskLevelSharePathCountHigh, $RiskLevelSharePathCountCritical]; +var DataSeriesACEs = [$RiskLevelCountLow, $RiskLevelCountMedium, $RiskLevelCountHigh,$RiskLevelCountCritical]; + +// Reverse each array +DataSeriesComputers.reverse(); +DataSeriesShares.reverse(); +DataSeriesACEs.reverse(); + +// Find max values +var maxComputer = Math.max(...DataSeriesComputers); +var maxShares = Math.max(...DataSeriesShares); +var maxACEs = Math.max(...DataSeriesACEs); +var maxValueOverall = Math.max(maxComputer, maxShares, maxACEs); + +// Initialize ApexCharts +const ChartDashboardRiskOptions = { + series: [{ + name: 'Computers', + data: DataSeriesComputers + //color: 'blue' // Set color for Computers series + },{ + name: 'Shares', + data: DataSeriesShares + //color: 'green' // Set color for Shares series + },{ + name: 'ACEs', + data: DataSeriesACEs + //color: 'red' // Set color for ACEs series + }], + chart: { + type: 'bar', + height: 300 + }, + plotOptions: { + bar: { + borderRadius: 0, + borderRadiusApplication: 'end', + horizontal: true, + barHeight: '90%', // Reduce bar height for more space + barGap: '0%', // Adds gap between bars in the same group + // barSpacing: 0.0 // Adds space between the groups (risk levels) + } + }, + colors: ['#DBDCD6', '#E4A628', '#07142A'], // Colors for the bars + dataLabels: { + enabled: true, + style: { + fontSize: '12px', + colors: ['#07142A', '#07142A', '#E4A628'] // colors for the lables #FF9965 + }, + offsetX: 0 + }, + grid: { + show: true, + opacity: 0.5 + }, + xaxis: { + categories: ['Critical','High','Medium','Low'], + max: maxValueOverall, + min: 0 + }, + title: { + text: 'Asset Count by Risk Level', + align: 'center', + margin: 10, + style: { + fontSize: '16px', + fontWeight: 'bold', + color: 'gray' + } + } +}; + +const ChartDashboardRisk = new ApexCharts(document.querySelector("#ChartDashboardRisk"), ChartDashboardRiskOptions); +ChartDashboardRisk.render(); + // -------------------------- // Dashboard Page: Chart - Remediation Prioritization // -------------------------- @@ -9308,60 +9444,6 @@ ChartDashboardIF.render(); var PeerCompareOptionschart = new ApexCharts(document.querySelector("#ChartDashboardPeerCompare"), PeerCompareOptions); PeerCompareOptionschart.render(); -// -------------------------- -// Dashboard Page: Risk Level chart -// -------------------------- - -// Initialize ApexCharts -const ChartDashboardRiskOptions = { - series: [{ - data: [$RiskLevelCountCritical, $RiskLevelCountHigh, $RiskLevelCountMedium, $RiskLevelCountLow] - }], - chart: { - type: 'bar', - height: 250 - }, - plotOptions: { - bar: { - borderRadius: 0, - borderRadiusApplication: 'end', - horizontal: true, - colors: { - backgroundBarColors: ['#e0e0e0'], - backgroundBarOpacity: 1, - ranges: [{ - from: 0, - to: 1000, - color: '#f08c41' - }] - } - } - }, - dataLabels: { - enabled: false - }, - grid: { - show: false - }, - xaxis: { - categories: ['Critical','High','Medium','Low'] - }, - title: { - text: 'ACE Count by Risk Level', - align: 'center', // Aligns the title, can be 'left', 'center', or 'right' - margin: 10, // Adjusts the space between the title and the chart - style: { - fontSize: '16px', - fontWeight: 'bold', - color: 'gray' - } - } -}; - -const ChartDashboardRisk = new ApexCharts(document.querySelector("#ChartDashboardRisk"), ChartDashboardRiskOptions); -ChartDashboardRisk.render(); - - // -------------------------- // Function to support collapsing and expanding sections // --------------------------