diff --git a/PowerHuntShares.psm1 b/PowerHuntShares.psm1
index 6d278c2..5242b1d 100644
--- a/PowerHuntShares.psm1
+++ b/PowerHuntShares.psm1
@@ -4,7 +4,7 @@
#--------------------------------------
# Author: Scott Sutherland, 2024 NetSPI
# License: 3-clause BSD
-# Version: v1.112
+# Version: v1.113
# References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell.
function Invoke-HuntSMBShares
{
@@ -2389,6 +2389,45 @@ function Invoke-HuntSMBShares
if($RiskLevelFileListGroupResult -eq "Critical"){$RiskLevelFolderGroupCountCritical = $RiskLevelFolderGroupCountCritical + 1}
}
+ # ----------------------------------------------------------------------
+ # Calculate Peer Comparison Data - INSIGHTS
+ # ----------------------------------------------------------------------
+ # % of computers, shares, aces with excessive privs enumerated from single active directory domain
+
+ # Set averages from a sample of 50 representative (size and industry) environments
+ $PeerCompareAverageP = "[18, 9, 15]"
+
+ # Get actual computer %
+ if($ComputerPingableCount -gt 0){
+ $PeerComparisonComputerCount = $ComputerPingableCount # use ping count
+ }else{
+ $PeerComparisonComputerCount = $Computers445OpenCount # use open445 count
+ }
+ $PeerComparActualComputers = [math]::Round($ComputerWithExcessive/$PeerComparisonComputerCount,2) * 100
+
+ # Get actual shares %
+ $PeerComparActualShares = [math]::Round($ExcessiveSharesCount/$AllSMBSharesCount,2) * 100
+
+ # Get actual aces %
+ $PeerComparActualAces = [math]::Round($ExcessiveSharePrivsCount/$ShareACLsCount ,2) * 100
+
+ # Set actual
+ $PeerCompareActuaP = "[$PeerComparActualComputers, $PeerComparActualShares, $PeerComparActualAces]"
+
+ # ----------------------------------------------------------------------
+ # Calculate Remediation Prioritization and Charts - INSIGHTS
+ # ----------------------------------------------------------------------
+ $RemediationBase = "[$ExcessiveSharePrivsCount,$ExcessiveSharePrivsCount,$ExcessiveSharePrivsCount]"
+ $RemediationSave = "[$ExcessiveSharePrivsCount,$FolderGroupChartCount,$ShareNameChartCount]"
+ $RemediationSaveFgP = 100 - ([math]::Round($FolderGroupChartCount/$ExcessiveSharePrivsCount,2) * 100)
+ $RemediationSaveSnP = 100 - ([math]::Round($ShareNameChartCount/$ExcessiveSharePrivsCount,2) * 100)
+
+ if($RemediationSaveFgP -gt $RemediationSaveSnP){
+ $RemediationSavings = $RemediationSaveFgP
+ }else{
+ $RemediationSavings = $RemediationSaveSnP
+ }
+
# ----------------------------------------------------------------------
# Create ShareGraph Nodes and Edges
# ----------------------------------------------------------------------
@@ -5596,6 +5635,25 @@ input[type="checkbox"]:checked::before {
+
+
+ Peer Comparison
+ This section displays the percentage of assets associated with excessive share Access Control Entries (ACEs). Each percentage is calculated based on the total number of assets of that type discovered in the target environment. It also compares these figures to the average percentage of affected assets observed in other environments.
+
+
+
+
@@ -5627,6 +5685,25 @@ input[type="checkbox"]:checked::before {
+
+
+ Remediation Prioritization
+ In most cases it makes sense to remediate share ACEs that have been categorized as high or critical risk first. Next, prioritize shares in groups by folder group (shares containing exactly the same files) or by share names that have a high similarity score.
+ Prioritizing those groups may help reduce remediation actions by as much as $RemediationSavings percent for this environment. That has been illustrated in the chart below.
+
+
+