diff --git a/Scripts/Analyze-HuntSMBShares.ps1 b/Scripts/Analyze-HuntSMBShares.ps1 index 85f4bc4..428e18e 100644 --- a/Scripts/Analyze-HuntSMBShares.ps1 +++ b/Scripts/Analyze-HuntSMBShares.ps1 @@ -5,7 +5,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.89 +# Version: v1.90 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Analyze-HuntSMBShares { @@ -2194,6 +2194,9 @@ function Analyze-HuntSMBShares $ShareFirstDate = $UniqueDates | select -First 1 $ShareLastDate = $UniqueDates | select -Last 1 + # Set color check to 0 + $ShareCriticalHighCheck = 0 + # Get start and end dates for all high $ShareHighCountBlah = $AllAcesWithFormattedDates | Where-Object { $_.RiskLevel -eq 'High' } | select SharePath -Unique | measure | select count -ExpandProperty count If($ShareHighCountBlah -gt 0) @@ -2206,14 +2209,13 @@ function Analyze-HuntSMBShares $ShareHighTime = "Shares configured with high risk ACEs were created between $HighFirstDateS and $HighLastDateS." # $ShareHighTime = "" + $ShareCriticalHighCheck = 1 }else{ # $HighFirstDateS = "NA" # $HighLastDateS = "NA" $ShareHighTime = "No shares were found configured with high risk ACEs." } - - # Get start and end dates for all critical $ShareCriticalCountBlah = $AllAcesWithFormattedDates | Where-Object { $_.RiskLevel -eq 'Critical' } | select SharePath -Unique | measure | select count -ExpandProperty count If($ShareCriticalCountBlah -gt 0) @@ -2226,12 +2228,16 @@ function Analyze-HuntSMBShares $ShareCriticalTime = "Shares configured with critical risk ACEs were created between $CriticalFirstDateS and $CriticalLastDateS." # $ShareCriticalTime = "" + $ShareCriticalHighCheck = 1 }else{ # $CriticalFirstDateS = "NA" # $CriticalLastDateS = "NA" $ShareCriticalTime = "No shares were found configured with critical risk ACEs." } + if($ShareCriticalHighCheck -eq 1){ + $ShareCriticalHighLine = "The orange and red trend areas reflect the cumulative number of critical and high risk shares in the environment so you can easily observe when/if they were introduced." + } # Iterate through unique dates and count ACEs efficiently @@ -5385,14 +5391,13 @@ input[type="checkbox"]:checked::before { -->
Share Creation Timeline
 -
+
Below is a time series chart to help provide a sense of when shares were created and at what point critical and high risk shares were introduced into the environment. - By reading the chart left to right, you can see that shares were created in this environment between $ShareFirstDate and $ShareLastDate. You can zoom into any section of the chart by clicking or using the chart controls in the upper right hand corner of the chart. - The orange and red trend areas reflect the cumulative number of critical and high risk shares in the environment so you can easily observe when they were introduced. + By reading the chart left to right, you can see that shares were created in this environment between $ShareFirstDate and $ShareLastDate. You can zoom into any section of the chart by clicking or using the chart controls in the upper right hand corner of the chart. $ShareCriticalTime $ShareHighTime - The chart also includes two horizontal lines. The "avg" line shows the average number of created shares and everything above the "+2 Std Dev" line is considered anomolous in the context of this report. The average number of shares created was $DataSeriesSharesAvg, the max was $DataSeriesSharesMax, and the standard deviation was $DataSeriesSharesSD. - $DataSeriessharesAnomalyCount anomalies were found that represent days when share creation counts were twice the standard deviation. + $ShareCriticalHighLine + The chart also includes two horizontal lines. The "avg" line shows the average number of created shares and everything above the "+2 Std Dev" line is considered anomolous in the context of this report. $DataSeriessharesAnomalyCount anomalies were found that represent days when share creation counts were twice the standard deviation.