Tips-Of-Mine/PowerHuntShares
Tips-Of-Mine/PowerHuntShares
2
0
Fork 0
mirror of https://github.com/NetSPI/PowerHuntShares.git synced 2025-05-05 03:38:42 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update PowerHuntShares.psm1

Browse Source 
Added dynamic identification of peak share creation date ranges for top share names on top share name page. (alpha)
This commit is contained in:
Scott Sutherland 2024-06-05 17:34:40 -05:00 committed by GitHub
parent b58f3d65ce
commit af6a9f9b1d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 107 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
PowerHuntShares.psm1
View File

@ -4,7 +4,7 @@
#-------------------------------------- #--------------------------------------
# Author: Scott Sutherland, 2024 NetSPI # Author: Scott Sutherland, 2024 NetSPI
# License: 3-clause BSD # License: 3-clause BSD
# Version: v1.51 # Version: v1.52
# References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell.
function Invoke-HuntSMBShares function Invoke-HuntSMBShares
{ {
@ -1547,6 +1547,7 @@ function Invoke-HuntSMBShares
Write-Output " [*][$Time] - $ShareCount $ShareName" Write-Output " [*][$Time] - $ShareCount $ShareName"
} }
Write-Output " [*] -----------------------------------------------" Write-Output " [*] -----------------------------------------------"
Write-Output " [*][$Time] - Generating HTML Report"
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Display final summary - NEW HTML REPORT # Display final summary - NEW HTML REPORT
@ -1670,8 +1671,7 @@ function Invoke-HuntSMBShares
} }
# ---- # ----
# Calculate similarity here - Start # Calculate similarity here - START
# How do i deal with divid by 1...?
# Calculate share to file group ratio: 0 to 1 # Calculate share to file group ratio: 0 to 1
# min value = 0 # min value = 0
@ -1758,8 +1758,82 @@ function Invoke-HuntSMBShares
If($SimilarityScore -lt .50){ $SimLevel = "Low"} If($SimilarityScore -lt .50){ $SimLevel = "Low"}
# Calculate similarity here - End # Calculate similarity here - END
# ---- # ----
######
# ----
# Calculate peak event date range - START
# Assumptions: a) if only two unique dates exist, then both will be included in the observation window.
# Count total number of events
$ShareEventCountTotal = $ExcessivePrivileges | where sharename -eq "$ShareName" | select SharePath, CreationDate -unique | measure | select count -expandproperty count
# Identify the first event date
$ShareEventFirst = $ExcessivePrivileges | where sharename -eq "$ShareName" | select SharePath, CreationDate -unique | foreach {[datetime]$_.CreationDate} | sort | select -first 1
# Identify the last event date
$ShareEventLast = $ExcessivePrivileges | where sharename -eq "$ShareName" | select SharePath, CreationDate -unique | foreach {[datetime]$_.CreationDate} | sort -desc | select -first 1
# Determine total time between start and end of all events
[timespan]$ShareEventTotalTime = $ShareEventLast - $ShareEventFirst
# Calculate the observation window date range based on the largest interval between events
$ShareEventsSorted = $ExcessivePrivileges | where sharename -eq "$ShareName" | select SharePath, CreationDate -unique | foreach {[datetime]$_.CreationDate} | sort
[timespan]$ObservationWindow = "00:00:00"
$ShareEventsSorted |
foreach {
[timespan]$Diff = ($_ - $ShareEventFirst )
if($ObservationWindow -lt $Diff){
[timespan]$ObservationWindow = $Diff
}
}
# Set initial observation window start and end dates
$ObservationWindowStartDate = $ShareEventFirst
$ObservationWindowsEndDate = $ShareEventFirst + $ObservationWindow
[datetime]$ObvWinnerFirst = '00:00:00'
[datetime]$ObvWinnerLast = '00:00:00'
$ObservationWindowRangecountWinner = 0
$ObservationWindowsBiggest = 0
$ObservationWindowsBiggestObject = ""
if($ShareEventTotalTime.TotalMinutes -eq 0 -and $ObservationWindow.TotalMinutes -eq 0){
$ObservationWindowInstanceCount = 0
}else{
$ObservationWindowInstanceCount = $ShareEventTotalTime.TotalMinutes / $ObservationWindow.TotalMinutes
}
# Iterate through the observeration windows to identify the one with the greatest number of events
1..$ObservationWindowInstanceCount |
Foreach{
# Select range and get count
$ObservationWindowRangecount = $ShareEventsSorted | Where-Object { $_ -ge $ObservationWindowStartDate -and $_ -le $ObservationWindowsEndDate} | measure | select count -expandproperty count
# Check if count is bigger than last, if so set tracker
if($ObservationWindowsBiggest -le $ObservationWindowRangecount){
# Get window first date
[datetime]$ObvWinnerFirst = $ShareEventsSorted | Where-Object { $_ -ge $ObservationWindowStartDate -and $_ -le $ObservationWindowsEndDate} | select -first 1
# Get window last date
[datetime]$ObvWinnerLast = $ShareEventsSorted | Where-Object { $_ -ge $ObservationWindowStartDate -and $_ -le $ObservationWindowsEndDate} | sort -desc | select -first 1
$ObservationWindowRangecountWinner = $ObservationWindowRangecount
# Create object
# $ObservationWindowsBiggestObject = [PSCustomObject]@{ TotalCount = $ShareEventCountTotal; WindowCount = $ObservationWindowRangecount; WindowFirstDate = [datetime]$ObvWinnerFirst; WindowLastDate = [datetime]$ObvWinnerLast}
}
# Set $ObservationWindowStartDate to $ObservationWindowsEndDate
$ObservationWindowStartDate = $ObservationWindowsEndDate
# Set $ObservationWindowsEndDate to $ObservationWindowsEndDate + $ObservationWindow
$ObservationWindowsEndDate = $ObservationWindowsEndDate + $ObservationWindow
}
# Calculate peak event date range - END
# ----
$ThisRow = @" $ThisRow = @"
<tr> <tr>
@ -1786,6 +1860,28 @@ function Invoke-HuntSMBShares
<td>Last Modified:</td> <td>Last Modified:</td>
<td>&nbsp;$ShareLastModified</td> <td>&nbsp;$ShareLastModified</td>
</tr> </tr>
</table>
<br><br>
<strong>Peak Window Details</strong><br>
<table class="subtable">
<tr id="ignore">
<td>Total Share Instances:</td>
<td>&nbsp;$ShareEventCountTotal</td>
</tr>
<tr id="ignore">
<td>Peak Window Instances:</td>
<td>&nbsp;$ObservationWindowRangecountWinner</td>
</tr>
<tr id="ignore">
<td>Peak Window Start:</td>
<td>&nbsp;$ObvWinnerFirst</td>
</tr>
<tr id="ignore">
<td>Peak Window End:</td>
<td>&nbsp;$ObvWinnerLast</td>
</tr>
</table> </table>
</div> </div>
</div> </div>
@ -4478,9 +4574,10 @@ $NewHtmlReport | Out-File "$OutputDirectoryBase\Summary-Report.html"
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Generate Excessive Privilege Findings # Generate Excessive Privilege Findings
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
if($ExportFindings){ if($ExportFindings){
Write-Output " [*] Generating exccessive privileges export." $Time = Get-Date -UFormat "%m/%d/%Y %R"
Write-Output " [*][$Time] - Generating exccessive privileges export."
# Define excessive priv fields # Define excessive priv fields
$ExcessivePrivID = "M:2989294" $ExcessivePrivID = "M:2989294"
@ -4605,7 +4702,8 @@ The 5 most common share names are:
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
if($ExportFindings){ if($ExportFindings){
Write-Output " [*] Generating HIGH RISK exccessive privileges export." $Time = Get-Date -UFormat "%m/%d/%Y %R"
Write-Output " [*][$Time] - Generating HIGH RISK exccessive privileges export."
# Define excessive priv fields # Define excessive priv fields
$ExcessivehighRiskID = "MAN:M:e581ab69-a0fc-4cb1-a7ff-87256c1a9e91" $ExcessivehighRiskID = "MAN:M:e581ab69-a0fc-4cb1-a7ff-87256c1a9e91"
@ -5589,8 +5687,7 @@ function Get-CardLastModified
</div> </div>
'@ '@
$HTMLEND $HTMLEND
} }
# ------------------------------------------- # -------------------------------------------