Tips-Of-Mine/PowerHuntShares
Tips-Of-Mine/PowerHuntShares
2
0
Fork 0
mirror of https://github.com/NetSPI/PowerHuntShares.git synced 2025-05-05 11:48:40 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update PowerHuntShares.psm1

Browse Source
This commit is contained in:
Scott Sutherland 2022-04-07 09:25:26 -05:00 committed by GitHub
parent 7f79621713
commit cf215ec25f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 71 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
PowerHuntShares.psm1
View File

@ -4,7 +4,7 @@
#-------------------------------------- #--------------------------------------
# Author: Scott Sutherland, 2022 NetSPI # Author: Scott Sutherland, 2022 NetSPI
# License: 3-clause BSD # License: 3-clause BSD
# Version: v1.16 # Version: v1.18
# dont use ping filter for 445, add custom user group option, and potentially identify groups that have large 20% of domain user members (make this configrable) # dont use ping filter for 445, add custom user group option, and potentially identify groups that have large 20% of domain user members (make this configrable)
# References: This script includes code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. # References: This script includes code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell.
function Invoke-HuntSMBShares function Invoke-HuntSMBShares
@ -1024,6 +1024,73 @@ function Invoke-HuntSMBShares
$Time = Get-Date -UFormat "%m/%d/%Y %R" $Time = Get-Date -UFormat "%m/%d/%Y %R"
Write-Output " [*][$Time] - Identified shares modified in last $LastModDays days." Write-Output " [*][$Time] - Identified shares modified in last $LastModDays days."
# ----------------------------------------------------------------------
# Identify affected subnets
# ----------------------------------------------------------------------
# Get list of Subnets
$Subnets = $ExcessiveSharePrivs | Select IPAddress -Unique |
Foreach{
$LastOctStart = (($_.IPAddress | Select-String '\.' -AllMatches).Matches | select -last 1 | select index -ExpandProperty index)
$Subnet = $_.IPAddress.substring(0,$LastOctStart)
$Subnet
} | select -Unique
$SubnetsCount = $Subnets | measure | select count -ExpandProperty count
# Get information for each subnet
$SubnetSummary = $Subnets |
foreach {
$subnet = $_
$subnetdisplay = $subnet + ".0"
# Acls - acl list exists
$subnetacls = $ExcessiveSharePrivs | where ipaddress -like "$subnet*"
$subnetaclsCount = $subnetacls | measure | select count -ExpandProperty count
# ACLs: Read - aclread exists
$subnetaclr = $SharesWithread | where ipaddress -like "$subnet*"
$subnetaclrCount = $subnetaclr | measure | select count -ExpandProperty count
# ACLs: Write - acl write exists
$subnetaclw = $SharesWithWrite | where ipaddress -like "$subnet*"
$subnetaclwCount = $subnetaclw | measure | select count -ExpandProperty count
# ACLs: Highrisk - acl highrisk exists
$subnetaclx = $SharesHighRisk | where ipaddress -like "$subnet*"
$subnetaclxCount = $subnetaclx | measure | select count -ExpandProperty count
# Shares
$subnetshares = $subnetacls | select sharepath -Unique
$subnetsharesCount = $subnetshares | measure | select count -ExpandProperty count
# Computers
$subnetcomputers = $subnetacls | select computername -Unique
$subnetcomputersCount = $subnetcomputers | measure | select count -ExpandProperty count
# Create object
$Object = new-object PSObject
$Object | Add-Member Subnet $subnetdisplay
$Object | Add-Member AclCount $subnetaclsCount
$Object | Add-Member ReadAclCount $subnetaclrCount
$Object | Add-Member WriteAclCount $subnetaclwCount
$Object | Add-Member HighRiskAclCount $subnetaclxCount
$Object | Add-Member ShareCount $subnetsharesCount
$Object | Add-Member ComputerCount $subnetcomputersCount
# Return object
$Object
} | sort SubnetAclCount
# Status User
$Time = Get-Date -UFormat "%m/%d/%Y %R"
Write-Output " [*][$Time] - Identified $SubnetsCount subnets hosting shares configured with excessive privileges."
$SubnetSummary | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Shares-Inventory-Common-Subnets.csv"
$SubnetFile = "$TargetDomain-Shares-Inventory-Common-Subnets.csv"
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Calculate percentages # Calculate percentages
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
@ -1299,7 +1366,7 @@ function Invoke-HuntSMBShares
Write-Output " [*][$Time] Creation timeline reports have been disabled." Write-Output " [*][$Time] Creation timeline reports have been disabled."
$CardLastModifiedTimeLine = "Share creation Timeline reports have been disabled." $CardLastModifiedTimeLine = "Share creation Timeline reports have been disabled."
}else{ }else{
$CardCreationTimeLine = Get-CardCreationTime -MyDataTable $ExcessiveSharePrivs -OutFilePath "$OutputDirectory\$TargetDomain-Shares-Creation-Monthly-Summary.csv" $CardCreationTimeLine = Get-CardCreationTime -MyDataTable $ExcessiveSharePrivs -OutFilePath "$OutputDirectory\$TargetDomain-Shares-Timeline-Creation-Summary.csv"
} }
# Generate last modified card # Generate last modified card
@ -1308,7 +1375,7 @@ function Invoke-HuntSMBShares
Write-Output " [*][$Time] Last modified timeline reports have been disabled." Write-Output " [*][$Time] Last modified timeline reports have been disabled."
$CardLastModifiedTimeLine = "Last modified timeline reports have been disabled." $CardLastModifiedTimeLine = "Last modified timeline reports have been disabled."
}else{ }else{
$CardLastModifiedTimeLine = Get-CardLastModified -MyDataTable $ExcessiveSharePrivs -OutFilePath "$OutputDirectory\$TargetDomain-Shares-Last-Modified-Monthly-Summary.csv" $CardLastModifiedTimeLine = Get-CardLastModified -MyDataTable $ExcessiveSharePrivs -OutFilePath "$OutputDirectory\$TargetDomain-Shares-Timeline-Last-Modified-Summary.csv"
} }
# Generate last access card # Generate last access card
@ -1317,7 +1384,7 @@ function Invoke-HuntSMBShares
Write-Output " [*][$Time] Last access timeline reports have been disabled." Write-Output " [*][$Time] Last access timeline reports have been disabled."
$CardLastAccessTimeLine = "Last access timeline reports have been disabled." $CardLastAccessTimeLine = "Last access timeline reports have been disabled."
}else{ }else{
$CardLastAccessTimeLine = Get-CardLastAccess -MyDataTable $ExcessiveSharePrivs -OutFilePath "$OutputDirectory\$TargetDomain-Shares-Last-Accessed-Monthly-Summary.csv" $CardLastAccessTimeLine = Get-CardLastAccess -MyDataTable $ExcessiveSharePrivs -OutFilePath "$OutputDirectory\$TargetDomain-Shares-Timeline-Last-Accessed-Summary.csv"
} }
Write-Output " [*][$Time] Analysis Complete" Write-Output " [*][$Time] Analysis Complete"