From cbf425151088192eeaa4331f7ca724ec13131598 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Wed, 7 Aug 2024 13:17:56 -0500 Subject: [PATCH] Update PowerHuntShares.psm1 Added risk level to folder group page. --- PowerHuntShares.psm1 | 52 +++++++++++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/PowerHuntShares.psm1 b/PowerHuntShares.psm1 index 4a3ed37..2497ebb 100644 --- a/PowerHuntShares.psm1 +++ b/PowerHuntShares.psm1 @@ -4,7 +4,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.99 +# Version: v1.100 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Invoke-HuntSMBShares { @@ -2326,49 +2326,64 @@ function Invoke-HuntSMBShares $SourceIps = (Get-NetIPAddress | where AddressState -like "*Pref*" | where AddressFamily -like "ipv4" | where ipaddress -notlike "127.0.0.1" | select IpAddress).ipaddress -join ("
") $SourceHost = (hostname) - # Get share list string list + # Get file group string list $CommonShareFileGroupTopString = $CommonShareFileGroupTop5 | foreach { $FileGroupName = $_.name $ThisFileBars = Get-GroupFileBar -DataTable $ExcessiveSharePrivs -Name $FileGroupName -AllComputerCount $ComputerCount -AllShareCount $AllSMBSharesCount -AllAclCount $ShareACLsCount $ComputerBarF = $ThisFileBars.ComputerBar $ShareBarF = $ThisFileBars.ShareBar - $AclBarF = $ThisFileBars.AclBar + $AclBarF = $ThisFileBars.AclBar $ThisFileListPrep = $ThisFileBars.FileList $ThisFileList = $ThisFileListPrep -replace "`n", "
" $ThisFileCount = $ThisFileBars.FileCount $ThisFileShareCount = $ThisFileBars.Sharecount $ThisFileShareNameList = $ExcessiveSharePrivs | where FileListGroup -eq $FileGroupName | select ShareName -unique -expandproperty sharename | foreach { "$_
"} - $ThisFileShareNameListUniqueCount = $ThisFileShareNameList | measure | select count -ExpandProperty count + $ThisFileShareNameListUniqueCount = $ThisFileShareNameList | measure | select count -ExpandProperty count $ShareFileShareUnc = $ExcessiveSharePrivs | where FileListGroup -eq $FileGroupName | select SharePath -unique -expandproperty SharePath | foreach { "$_
"} + + # Grab the risk level for the highest risk acl for the foldergroup + $FolderGroupsTopACLRiskScoreRow = $ExcessiveSharePrivsFinal | where FileListGroup -eq $FileGroupName | select RiskScore | sort RiskScore -Descending | select -First 1 | select RiskScore -ExpandProperty RiskScore + + # Check risk level - Highest wins + If($FolderGroupsTopACLRiskScoreRow -le 4 ) { $RiskLevelFolderGroupResultRow = "Low"} + If($FolderGroupsTopACLRiskScoreRow -gt 4 -and $FolderGroupsTopACLRiskScoreRow -lt 11 ) { $RiskLevelFolderGroupResultRow = "Medium"} + If($FolderGroupsTopACLRiskScoreRow -ge 11 -and $FolderGroupsTopACLRiskScoreRow -lt 20 ) { $RiskLevelFolderGroupResultRow = "High"} + If($FolderGroupsTopACLRiskScoreRow -ge 20 ) { $RiskLevelFolderGroupResultRow = "Critical"} + + # Set risk level for row + $FileGroupNameRiskLevelRow = "$FolderGroupsTopACLRiskScoreRow $RiskLevelFolderGroupResultRow" + $ThisRow = @" +
$ThisFileShareNameList
+
$ShareFileShareUnc
- - $FileGroupName - - +
$ThisFileList
- - - $AclBarF - + + + $FileGroupNameRiskLevelRow + + + $FileGroupName + -"@ +"@ $ThisRow } @@ -6096,11 +6111,11 @@ Folder groups are SMB shares that contain the exact same file listing. Each file - - - - - + + + + + @@ -6110,6 +6125,7 @@ Folder groups are SMB shares that contain the exact same file listing. Each file
+
Unique Share NamesShare CountFile GroupFile CountAffected ACLsUnique Share NamesShare CountFile CountRisk LevelFile Group