- Interesting files may contain passwords or sensitive data. They have been grouped by name in the table below, and summaryized by the $FileNamePatternCategoriesCount categories below.
+
+ This section provides a list of files that may contain passwords or sensitive data, or may be abused for remote code execution.
Below is a summary of the domain computers that were targeted, connectivity to them, and the number that are hosting potentially insecure SMB shares.
-
-
+
@@ -4752,11 +4756,11 @@ Below is a summary of the domain computers that were targeted, connectivity to t
+
Share Summary
+
-
Share Summary
Below is a summary of the SMB shares discovered on domain computers that may provide excessive privileges to standard domain users.
-
-
+
@@ -4825,11 +4829,11 @@ Below is a summary of the SMB shares discovered on domain computers that may pro
+
Share ACL Entry Summary
+
-
Share ACL Entry Summary
Below is a summary of the SMB share ACL entries discovered on domain computers that may provide excessive privileges to standard domain users.
-
@@ -4895,14 +4899,13 @@ Below is a summary of the SMB share ACL entries discovered on domain computers t
-
-
Group ACL Summary
+
Group ACL Summary
+
+
In the context of this report, excessive read and write share permissions have been defined as any network share ACL containing an explicit entry for the "Everyone", "Authenticated Users", "BUILTIN\Users", "Domain Users", or "Domain Computers" groups. All provide domain users access to the affected shares due to privilege inheritance.
Below is a summary of the exposure associated with each of those groups.
-
-
@@ -5115,14 +5118,11 @@ Below is a summary of the exposure associated with each of those groups.
-
-
Share Names
+
Share Names
+
+
This section contains a list of the most common SMB share names. In some cases, shares with the exact same name may be related to a single application or process. This information can help identify the root cause associated with the excessive privileges and expedite remediation.
-
-
-
-
-
+
@@ -5239,12 +5239,12 @@ This section contains a list of the most common SMB share names. In some cases,
+
Affected Subnets
+
-
Affected Subnets
This section contains a list of subnets hosting computers with shares that are configured with accessibe privileges.
-
$SubnetSummaryHTML
@@ -5254,13 +5254,12 @@ $SubnetSummaryHTML
+
Share Owners
+
-
Share Owners (Top $SampleSum)
This section lists the most common share owners.
-
-
@@ -5284,13 +5283,11 @@ This section lists the most common share owners.
-
-
Folder Groups
+
Folder Groups
+
+
Folder groups are SMB shares that contain the exact same file listing. Each file group has been hashed so they can be quickly correlated. In some cases, shares with the exact same file listing may be related to a single application or process. This information can help identify the root cause associated with the excessive privileges and expedite remediation.
-
-
-
@@ -5373,13 +5370,12 @@ Folder groups are SMB shares that contain the exact same file listing. Each file
+
Exploiting Access
+
-
Exploit Share Accesss
Below are some tips for getting started on exploiting share access.
-
-
@@ -5436,13 +5432,12 @@ Below are some tips for getting started on exploiting share access.
+
Recommendations
+
-
Recommendations: Exploit Share Access
Below are some tips for getting started on building detections for potentially malicious share scanning events.
-
-
@@ -5502,13 +5497,12 @@ Guest access to the system should also be revoked and ensure that adequate acces
+
Prioritizing Remediation
+
-
Recommendations: Prioritize Remediation
Below are some tips for getting started on prioritizing the remediation of shares configured with excessive privileges.
-
-
@@ -5568,12 +5562,12 @@ Below are some tips for getting started on prioritizing the remediation of share
+
HELP!
+
-
-
HELP!
+
This report summarizes the shares identified as being configured with excessive privileges.