diff --git a/PowerHuntShares.psm1 b/PowerHuntShares.psm1
index 4a3ed37..2497ebb 100644
--- a/PowerHuntShares.psm1
+++ b/PowerHuntShares.psm1
@@ -4,7 +4,7 @@
#--------------------------------------
# Author: Scott Sutherland, 2024 NetSPI
# License: 3-clause BSD
-# Version: v1.99
+# Version: v1.100
# References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell.
function Invoke-HuntSMBShares
{
@@ -2326,49 +2326,64 @@ function Invoke-HuntSMBShares
$SourceIps = (Get-NetIPAddress | where AddressState -like "*Pref*" | where AddressFamily -like "ipv4" | where ipaddress -notlike "127.0.0.1" | select IpAddress).ipaddress -join ("
")
$SourceHost = (hostname)
- # Get share list string list
+ # Get file group string list
$CommonShareFileGroupTopString = $CommonShareFileGroupTop5 |
foreach {
$FileGroupName = $_.name
$ThisFileBars = Get-GroupFileBar -DataTable $ExcessiveSharePrivs -Name $FileGroupName -AllComputerCount $ComputerCount -AllShareCount $AllSMBSharesCount -AllAclCount $ShareACLsCount
$ComputerBarF = $ThisFileBars.ComputerBar
$ShareBarF = $ThisFileBars.ShareBar
- $AclBarF = $ThisFileBars.AclBar
+ $AclBarF = $ThisFileBars.AclBar
$ThisFileListPrep = $ThisFileBars.FileList
$ThisFileList = $ThisFileListPrep -replace "`n", "
"
$ThisFileCount = $ThisFileBars.FileCount
$ThisFileShareCount = $ThisFileBars.Sharecount
$ThisFileShareNameList = $ExcessiveSharePrivs | where FileListGroup -eq $FileGroupName | select ShareName -unique -expandproperty sharename | foreach { "$_
"}
- $ThisFileShareNameListUniqueCount = $ThisFileShareNameList | measure | select count -ExpandProperty count
+ $ThisFileShareNameListUniqueCount = $ThisFileShareNameList | measure | select count -ExpandProperty count
$ShareFileShareUnc = $ExcessiveSharePrivs | where FileListGroup -eq $FileGroupName | select SharePath -unique -expandproperty SharePath | foreach { "$_
"}
+
+ # Grab the risk level for the highest risk acl for the foldergroup
+ $FolderGroupsTopACLRiskScoreRow = $ExcessiveSharePrivsFinal | where FileListGroup -eq $FileGroupName | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore
+
+ # Check risk level - Highest wins
+ If($FolderGroupsTopACLRiskScoreRow -le 4 ) { $RiskLevelFolderGroupResultRow = "Low"}
+ If($FolderGroupsTopACLRiskScoreRow -gt 4 -and $FolderGroupsTopACLRiskScoreRow -lt 11 ) { $RiskLevelFolderGroupResultRow = "Medium"}
+ If($FolderGroupsTopACLRiskScoreRow -ge 11 -and $FolderGroupsTopACLRiskScoreRow -lt 20 ) { $RiskLevelFolderGroupResultRow = "High"}
+ If($FolderGroupsTopACLRiskScoreRow -ge 20 ) { $RiskLevelFolderGroupResultRow = "Critical"}
+
+ # Set risk level for row
+ $FileGroupNameRiskLevelRow = "$FolderGroupsTopACLRiskScoreRow $RiskLevelFolderGroupResultRow"
+
$ThisRow = @"
|
+
$ThisFileShareNameList
|
+
$ShareFileShareUnc
|
-
- $FileGroupName
- |
-
+ |
$ThisFileList
- |
-
- $AclBarF
- |
+
+
+ $FileGroupNameRiskLevelRow
+ |
+
+ $FileGroupName
+ |
-"@
+"@
$ThisRow
}
@@ -6096,11 +6111,11 @@ Folder groups are SMB shares that contain the exact same file listing. Each file
- | Unique Share Names |
- Share Count |
- File Group |
- File Count |
- Affected ACLs |
+ Unique Share Names |
+ Share Count |
+ File Count |
+ Risk Level |
+ File Group |
@@ -6110,6 +6125,7 @@ Folder groups are SMB shares that contain the exact same file listing. Each file
+