mirror of
https://github.com/NetSPI/PowerHuntShares.git
synced 2025-05-04 19:28:42 +02:00
Update PowerHuntShares.psm1
Added dynamic identification of peak share creation date ranges for top share names on top share name page. (alpha)
This commit is contained in:
Scott Sutherland
GitHub
parent
b58f3d65ce
commit
af6a9f9b1d
@ -4,7 +4,7 @@
|
||||
#--------------------------------------
|
||||
# Author: Scott Sutherland, 2024 NetSPI
|
||||
# License: 3-clause BSD
|
||||
# Version: v1.51
|
||||
# Version: v1.52
|
||||
# References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell.
|
||||
function Invoke-HuntSMBShares
|
||||
{
|
||||
@ -1547,6 +1547,7 @@ function Invoke-HuntSMBShares
|
||||
Write-Output " [*][$Time] - $ShareCount $ShareName"
|
||||
}
|
||||
Write-Output " [*] -----------------------------------------------"
|
||||
Write-Output " [*][$Time] - Generating HTML Report"
|
||||
|
||||
# ----------------------------------------------------------------------
|
||||
# Display final summary - NEW HTML REPORT
|
||||
@ -1670,8 +1671,7 @@ function Invoke-HuntSMBShares
|
||||
}
|
||||
|
||||
# ----
|
||||
# Calculate similarity here - Start
|
||||
# How do i deal with divid by 1...?
|
||||
# Calculate similarity here - START
|
||||
|
||||
# Calculate share to file group ratio: 0 to 1
|
||||
# min value = 0
|
||||
@ -1758,8 +1758,82 @@ function Invoke-HuntSMBShares
|
||||
If($SimilarityScore -lt .50){ $SimLevel = "Low"}
|
||||
|
||||
|
||||
# Calculate similarity here - End
|
||||
# Calculate similarity here - END
|
||||
# ----
|
||||
######
|
||||
# ----
|
||||
# Calculate peak event date range - START
|
||||
# Assumptions: a) if only two unique dates exist, then both will be included in the observation window.
|
||||
|
||||
# Count total number of events
|
||||
$ShareEventCountTotal = $ExcessivePrivileges | where sharename -eq "$ShareName" | select SharePath, CreationDate -unique | measure | select count -expandproperty count
|
||||
|
||||
# Identify the first event date
|
||||
$ShareEventFirst = $ExcessivePrivileges | where sharename -eq "$ShareName" | select SharePath, CreationDate -unique | foreach {[datetime]$_.CreationDate} | sort | select -first 1
|
||||
|
||||
# Identify the last event date
|
||||
$ShareEventLast = $ExcessivePrivileges | where sharename -eq "$ShareName" | select SharePath, CreationDate -unique | foreach {[datetime]$_.CreationDate} | sort -desc | select -first 1
|
||||
|
||||
# Determine total time between start and end of all events
|
||||
[timespan]$ShareEventTotalTime = $ShareEventLast - $ShareEventFirst
|
||||
|
||||
# Calculate the observation window date range based on the largest interval between events
|
||||
$ShareEventsSorted = $ExcessivePrivileges | where sharename -eq "$ShareName" | select SharePath, CreationDate -unique | foreach {[datetime]$_.CreationDate} | sort
|
||||
[timespan]$ObservationWindow = "00:00:00"
|
||||
$ShareEventsSorted |
|
||||
foreach {
|
||||
[timespan]$Diff = ($_ - $ShareEventFirst )
|
||||
if($ObservationWindow -lt $Diff){
|
||||
[timespan]$ObservationWindow = $Diff
|
||||
}
|
||||
}
|
||||
|
||||
# Set initial observation window start and end dates
|
||||
$ObservationWindowStartDate = $ShareEventFirst
|
||||
$ObservationWindowsEndDate = $ShareEventFirst + $ObservationWindow
|
||||
[datetime]$ObvWinnerFirst = '00:00:00'
|
||||
[datetime]$ObvWinnerLast = '00:00:00'
|
||||
$ObservationWindowRangecountWinner = 0
|
||||
$ObservationWindowsBiggest = 0
|
||||
$ObservationWindowsBiggestObject = ""
|
||||
if($ShareEventTotalTime.TotalMinutes -eq 0 -and $ObservationWindow.TotalMinutes -eq 0){
|
||||
$ObservationWindowInstanceCount = 0
|
||||
}else{
|
||||
$ObservationWindowInstanceCount = $ShareEventTotalTime.TotalMinutes / $ObservationWindow.TotalMinutes
|
||||
}
|
||||
|
||||
# Iterate through the observeration windows to identify the one with the greatest number of events
|
||||
1..$ObservationWindowInstanceCount |
|
||||
Foreach{
|
||||
|
||||
# Select range and get count
|
||||
$ObservationWindowRangecount = $ShareEventsSorted | Where-Object { $_ -ge $ObservationWindowStartDate -and $_ -le $ObservationWindowsEndDate} | measure | select count -expandproperty count
|
||||
|
||||
# Check if count is bigger than last, if so set tracker
|
||||
if($ObservationWindowsBiggest -le $ObservationWindowRangecount){
|
||||
|
||||
# Get window first date
|
||||
[datetime]$ObvWinnerFirst = $ShareEventsSorted | Where-Object { $_ -ge $ObservationWindowStartDate -and $_ -le $ObservationWindowsEndDate} | select -first 1
|
||||
|
||||
# Get window last date
|
||||
[datetime]$ObvWinnerLast = $ShareEventsSorted | Where-Object { $_ -ge $ObservationWindowStartDate -and $_ -le $ObservationWindowsEndDate} | sort -desc | select -first 1
|
||||
|
||||
$ObservationWindowRangecountWinner = $ObservationWindowRangecount
|
||||
|
||||
# Create object
|
||||
# $ObservationWindowsBiggestObject = [PSCustomObject]@{ TotalCount = $ShareEventCountTotal; WindowCount = $ObservationWindowRangecount; WindowFirstDate = [datetime]$ObvWinnerFirst; WindowLastDate = [datetime]$ObvWinnerLast}
|
||||
}
|
||||
|
||||
# Set $ObservationWindowStartDate to $ObservationWindowsEndDate
|
||||
$ObservationWindowStartDate = $ObservationWindowsEndDate
|
||||
|
||||
# Set $ObservationWindowsEndDate to $ObservationWindowsEndDate + $ObservationWindow
|
||||
$ObservationWindowsEndDate = $ObservationWindowsEndDate + $ObservationWindow
|
||||
}
|
||||
|
||||
# Calculate peak event date range - END
|
||||
# ----
|
||||
|
||||
|
||||
$ThisRow = @"
|
||||
<tr>
|
||||
@ -1786,6 +1860,28 @@ function Invoke-HuntSMBShares
|
||||
<td>Last Modified:</td>
|
||||
<td> $ShareLastModified</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<br><br>
|
||||
|
||||
<strong>Peak Window Details</strong><br>
|
||||
<table class="subtable">
|
||||
<tr id="ignore">
|
||||
<td>Total Share Instances:</td>
|
||||
<td> $ShareEventCountTotal</td>
|
||||
</tr>
|
||||
<tr id="ignore">
|
||||
<td>Peak Window Instances:</td>
|
||||
<td> $ObservationWindowRangecountWinner</td>
|
||||
</tr>
|
||||
<tr id="ignore">
|
||||
<td>Peak Window Start:</td>
|
||||
<td> $ObvWinnerFirst</td>
|
||||
</tr>
|
||||
<tr id="ignore">
|
||||
<td>Peak Window End:</td>
|
||||
<td> $ObvWinnerLast</td>
|
||||
</tr>
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
@ -4478,9 +4574,10 @@ $NewHtmlReport | Out-File "$OutputDirectoryBase\Summary-Report.html"
|
||||
# ----------------------------------------------------------------------
|
||||
# Generate Excessive Privilege Findings
|
||||
# ----------------------------------------------------------------------
|
||||
if($ExportFindings){
|
||||
|
||||
Write-Output " [*] Generating exccessive privileges export."
|
||||
if($ExportFindings){
|
||||
|
||||
$Time = Get-Date -UFormat "%m/%d/%Y %R"
|
||||
Write-Output " [*][$Time] - Generating exccessive privileges export."
|
||||
|
||||
# Define excessive priv fields
|
||||
$ExcessivePrivID = "M:2989294"
|
||||
@ -4605,7 +4702,8 @@ The 5 most common share names are:
|
||||
# ----------------------------------------------------------------------
|
||||
if($ExportFindings){
|
||||
|
||||
Write-Output " [*] Generating HIGH RISK exccessive privileges export."
|
||||
$Time = Get-Date -UFormat "%m/%d/%Y %R"
|
||||
Write-Output " [*][$Time] - Generating HIGH RISK exccessive privileges export."
|
||||
|
||||
# Define excessive priv fields
|
||||
$ExcessivehighRiskID = "MAN:M:e581ab69-a0fc-4cb1-a7ff-87256c1a9e91"
|
||||
@ -5589,8 +5687,7 @@ function Get-CardLastModified
|
||||
</div>
|
||||
'@
|
||||
|
||||
$HTMLEND
|
||||
|
||||
$HTMLEND
|
||||
}
|
||||
|
||||
# -------------------------------------------
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user