From f8301b2588d5a4b29e4298fbbd80929308f9c322 Mon Sep 17 00:00:00 2001 From: Scott Sutherland Date: Tue, 4 Jun 2024 11:49:50 -0500 Subject: [PATCH] Update PowerHuntShares.psm1 updated top names page --- PowerHuntShares.psm1 | 238 ++++++++++++++++++++++++++++++++++++------- 1 file changed, 203 insertions(+), 35 deletions(-) diff --git a/PowerHuntShares.psm1 b/PowerHuntShares.psm1 index d64aabe..1e8855c 100644 --- a/PowerHuntShares.psm1 +++ b/PowerHuntShares.psm1 @@ -4,7 +4,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.47 +# Version: v1.48 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Invoke-HuntSMBShares { @@ -1611,13 +1611,13 @@ function Invoke-HuntSMBShares $ShareCount = $_.count $ShareName = $_.name $ShareFolderGroupCount = $ExcessiveSharePrivs | where sharename -like "$ShareName" | select filelistgroup -Unique | measure | select count -ExpandProperty count - $ShareNameBars = Get-GroupNameBar -DataTable $ExcessiveSharePrivs -Name $ShareName -AllComputerCount $ComputerCount -AllShareCount $AllSMBSharesCount -AllAclCount $ShareACLsCount + $ShareNameBars = Get-GroupNameNoBar -DataTable $ExcessiveSharePrivs -Name $ShareName -AllComputerCount $ComputerCount -AllShareCount $AllSMBSharesCount -AllAclCount $ShareACLsCount $ComputerBar = $ShareNameBars.ComputerBar $ShareBar = $ShareNameBars.ShareBar $AclBar = $ShareNameBars.AclBar # Share Description - $ShareDescriptionSample = $ExcessiveSharePrivs | where sharename -EQ "$ShareName" | where ShareDescription -NE "" | select ShareDescription -first 1 -expandproperty ShareDescription | foreach {"Sample Description
$_"} + $ShareDescriptionSample = $ExcessiveSharePrivs | where sharename -EQ "$ShareName" | where ShareDescription -NE "" | select ShareDescription -first 1 -expandproperty ShareDescription | foreach {"Sample Description
$_

"} # First created $ShareFirstCreated = $ExcessiveSharePrivs | where sharename -EQ "$ShareName" | select creationdate | foreach{[datetime]$_.creationdate } | Sort-Object | select -First 1 | foreach {$_.tostring("MM/dd/yyyy HH:mm:ss")} @@ -1745,7 +1745,8 @@ function Invoke-HuntSMBShares # Max is 4 + 3 + 2 + 1 + 1 = 11; Min is 0 $SimilarityTotal = $SimularityCalcShareFgFinal + $SimularityCalc50PFinal + $SimularityCalcFGOwnerAvgFinal +$SimularityCalcCreateDateFinal + $SimularityCalcLastModDateFinal $SimilarityScore = $SimilarityTotal / 11 - $SimilarityScoreP = $SimilarityScore.tostring("P") + $SimilarityScoreP1 = [math]::round(($SimilarityScore.tostring("P") -replace('%',''))) + $SimilarityScoreP = "$SimilarityScoreP1%" If($SimilarityScore -gt .80){ $SimLevel = "High"} If($SimilarityScore -lt .80){ $SimLevel = "Medium"} If($SimilarityScore -lt .50){ $SimLevel = "Low"} @@ -1763,28 +1764,54 @@ function Invoke-HuntSMBShares
- $ShareDescriptionSample

+ $ShareDescriptionSample - Timeline Context
- First Created: $ShareFirstCreated
- Last Created: $ShareLastCreated
- Last Modified: $ShareLastModified

- - -
-
- Normalized Ratio Details
- FolderGroup: $SimularityCalcShareFg
- OwnerFG      : $SimularityCalcFGOwnerAvg
- Owner          : $SimularityCalcShareOwner
- Majority       : $SimularityCalc50P
- Created       : $SimularityCalcCreateDate
- LastMod      : $SimularityCalcLastModDate
-
-
+ Timeline Context
+ + + + + + + + + + + + + +
First Created: $ShareFirstCreated
Last Created: $ShareLastCreated
Last Modified: $ShareLastModified
+ + +
+
+ Normalized Ratio Details
+ + + + + + + + + + + + + + + + + + + +
FolderGroup: $SimularityCalcShareFg
OwnerFG: $SimularityCalcFGOwnerAvg
Owner: $SimularityCalcShareOwner
MajorityExists: $SimularityCalc50P
Created: $SimularityCalcCreateDate
LastMod: $SimularityCalcLastModDate
+
+
+
@@ -1800,15 +1827,14 @@ function Invoke-HuntSMBShares $ShareOwnerList
- - - $ComputerBar - - - $ShareBar + + + $ComputerBar + $ShareBar + $AclBar - $AclBar + PLACEHOLDER "@ @@ -2105,6 +2131,69 @@ $NewHtmlReport = @" vertical-align:top; border-top:1px solid #eceeef } + + .subtable{ + all: unset; + margin: 0; + padding: 0; + border: none; + background: none; + color: initial; + text-align: left; + font-family:"Proxima Nova","Open Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,sans-serif; + font-size:10px; + border-collapse: unset; + } + + .subtable td { + background: none; + font-size:10px; + text-align: left; + margin: 0; + padding: 0; + border: none; + border-collapse: unset; + } + + .subtable tr { + background: none; + font-size:10px; + text-align: left; + margin: 0; + padding: 0; + border: none; + border-collapse: unset; + } + + .subtable tbody td:nth-child(1) { + background: none; + font-size:10px; + text-align: left; + margin: 0; + padding: 0; + border: none; + border-collapse: unset; + } + + .subtable tbody tr:nth-of-type(odd) { + background: none; + font-size:10px; + text-align: left; + margin: 0; + padding: 0; + border: none; + border-collapse: unset; + } + + .subtable tbody tr:hover { + background: none; + font-size:10px; + text-align: left; + margin: 0; + padding: 0; + border: none; + border-collapse: unset; + } h2{ font-size:2rem @@ -2396,6 +2485,19 @@ $NewHtmlReport = @" padding-top: 5px; padding-bottom: 20px; padding-left:15px; + } + + .subexpandnocolor { + font-size: 14; + font-family:"Open Sans", sans-serif; + color:#666; + background-color:none; + border-radius: 0px; + padding: 5px; + margin-top: 5px; + margin-right: 5px; + margin-bottom: 5px; + width: 90% } .filelist { @@ -3766,13 +3868,13 @@ This section contains a list of the most common SMB share names. In some cases, - + - - - - - + + + + + @@ -5619,6 +5721,72 @@ function Get-GroupNameBar $TheCounts } +# ------------------------------------------- +# Function: Get-GroupNameNoBar +# ------------------------------------------- +function Get-GroupNameNoBar +{ + param ( + $DataTable, + $Name, + $AllComputerCount, + $AllShareCount, + $AllAclCount + ) + + # Get acl counts + $UserAcls = $DataTable | Where ShareName -like "$Name" | Select-Object ComputerName, ShareName, SharePath, FileSystemRights + $UserAclsCount = $UserAcls | measure | select count -ExpandProperty count + $UserAclsPercent = [math]::Round($UserAclsCount/$AllAclCount,4) + $UserAclsPercentString = $UserAclsPercent.tostring("P") -replace(" ","") + $UserAclsPercentBarVal = ($UserAclsPercent *2).tostring("P") -replace(" %","px") + $UserAclsPercentBarCode = @" + +
+
+ $UserAclsCount of $AllAclCount ($UserAclsPercentString) +
+
+"@ + + # Get share counts + $UserShare = $UserAcls | Select-Object SharePath -Unique + $UserShareCount = $UserShare | measure | select count -ExpandProperty count + $UserSharePercent = [math]::Round($UserShareCount/$AllShareCount,4) + $UserSharePercentString = $UserSharePercent.tostring("P") -replace(" ","") + $UserSharePercentBarVal = ($UserSharePercent *2).tostring("P") -replace(" %","px") + $UserSharePercentBarCode = @" + +
+
+ $UserShareCount of $AllShareCount ($UserSharePercentString) +
+
+"@ + + # Get computer counts + $UserComputer = $UserAcls | Select-Object ComputerName -Unique + $UserComputerCount = $UserComputer | measure | select count -ExpandProperty count + $UserComputerPercent = [math]::Round($UserComputerCount/$AllComputerCount,4) + $UserComputerPercentString = $UserComputerPercent.tostring("P") -replace(" ","") + $UserComputerPercentBarVal = ($UserComputerPercent *2).tostring("P") -replace(" %","px") + $UserComputerPercentBarCode = @" + +
+
+ $UserComputerCount of $AllComputerCount ($UserComputerPercentString) +
+
+"@ + + # Return object with all counts + $TheCounts = new-object psobject + $TheCounts | add-member Noteproperty ComputerBar $UserComputerPercentBarCode + $TheCounts | add-member Noteproperty ShareBar $UserSharePercentBarCode + $TheCounts | add-member Noteproperty AclBar $UserAclsPercentBarCode + $TheCounts +} + # ------------------------------------------- # Function: Get-GroupFileBar # -------------------------------------------
Share CountShares Share NameUnique Folder GroupsUnique OwnersAffected ComputersAffected SharesAffected ACLsSimilarityFolder GroupsShare OwnersAffected AssetsTimeline