From d8d6bdf0938743e2bfdacb15366d372ab6318831 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Mon, 9 Sep 2024 17:16:29 -0500 Subject: [PATCH] Update PowerHuntShares.psm1 Added peer comparison and remediation task reduction charts. --- PowerHuntShares.psm1 | 283 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 281 insertions(+), 2 deletions(-) diff --git a/PowerHuntShares.psm1 b/PowerHuntShares.psm1 index 6d278c2..5242b1d 100644 --- a/PowerHuntShares.psm1 +++ b/PowerHuntShares.psm1 @@ -4,7 +4,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.112 +# Version: v1.113 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Invoke-HuntSMBShares { @@ -2389,6 +2389,45 @@ function Invoke-HuntSMBShares if($RiskLevelFileListGroupResult -eq "Critical"){$RiskLevelFolderGroupCountCritical = $RiskLevelFolderGroupCountCritical + 1} } + # ---------------------------------------------------------------------- + # Calculate Peer Comparison Data - INSIGHTS + # ---------------------------------------------------------------------- + # % of computers, shares, aces with excessive privs enumerated from single active directory domain + + # Set averages from a sample of 50 representative (size and industry) environments + $PeerCompareAverageP = "[18, 9, 15]" + + # Get actual computer % + if($ComputerPingableCount -gt 0){ + $PeerComparisonComputerCount = $ComputerPingableCount # use ping count + }else{ + $PeerComparisonComputerCount = $Computers445OpenCount # use open445 count + } + $PeerComparActualComputers = [math]::Round($ComputerWithExcessive/$PeerComparisonComputerCount,2) * 100 + + # Get actual shares % + $PeerComparActualShares = [math]::Round($ExcessiveSharesCount/$AllSMBSharesCount,2) * 100 + + # Get actual aces % + $PeerComparActualAces = [math]::Round($ExcessiveSharePrivsCount/$ShareACLsCount ,2) * 100 + + # Set actual + $PeerCompareActuaP = "[$PeerComparActualComputers, $PeerComparActualShares, $PeerComparActualAces]" + + # ---------------------------------------------------------------------- + # Calculate Remediation Prioritization and Charts - INSIGHTS + # ---------------------------------------------------------------------- + $RemediationBase = "[$ExcessiveSharePrivsCount,$ExcessiveSharePrivsCount,$ExcessiveSharePrivsCount]" + $RemediationSave = "[$ExcessiveSharePrivsCount,$FolderGroupChartCount,$ShareNameChartCount]" + $RemediationSaveFgP = 100 - ([math]::Round($FolderGroupChartCount/$ExcessiveSharePrivsCount,2) * 100) + $RemediationSaveSnP = 100 - ([math]::Round($ShareNameChartCount/$ExcessiveSharePrivsCount,2) * 100) + + if($RemediationSaveFgP -gt $RemediationSaveSnP){ + $RemediationSavings = $RemediationSaveFgP + }else{ + $RemediationSavings = $RemediationSaveSnP + } + # ---------------------------------------------------------------------- # Create ShareGraph Nodes and Edges # ---------------------------------------------------------------------- @@ -5596,6 +5635,25 @@ input[type="checkbox"]:checked::before {
+ +
+ Peer Comparison
 + This section displays the percentage of assets associated with excessive share Access Control Entries (ACEs). Each percentage is calculated based on the total number of assets of that type discovered in the target environment. It also compares these figures to the average percentage of affected assets observed in other environments. +
+ +
+ + + +
+
+
+
+ +
+ @@ -5627,6 +5685,25 @@ input[type="checkbox"]:checked::before { + +
+ Remediation Prioritization
 + In most cases it makes sense to remediate share ACEs that have been categorized as high or critical risk first. Next, prioritize shares in groups by folder group (shares containing exactly the same files) or by share names that have a high similarity score. + Prioritizing those groups may help reduce remediation actions by as much as $RemediationSavings percent for this environment. That has been illustrated in the chart below. +
+ +
+ + + +
+
+
+
+ +