diff --git a/Scripts/Analyze-HuntSMBShares.ps1 b/Scripts/Analyze-HuntSMBShares.ps1 index cbec3c2..05cd851 100644 --- a/Scripts/Analyze-HuntSMBShares.ps1 +++ b/Scripts/Analyze-HuntSMBShares.ps1 @@ -5,7 +5,7 @@ #-------------------------------------- # Author: Scott Sutherland, 2024 NetSPI # License: 3-clause BSD -# Version: v1.64 +# Version: v1.66 # References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell. function Analyze-HuntSMBShares { @@ -1363,7 +1363,7 @@ function Analyze-HuntSMBShares } # ---------------------------------------------------------------------- - # Calculate risk score per acl + # Calculate risk score per acl - ACE INSIGHTS # ---------------------------------------------------------------------- # add interesting file flags # add risk score @@ -1579,6 +1579,84 @@ function Analyze-HuntSMBShares $RiskLevelCountHigh = $ExcessiveSharePrivsFinal | where RiskLevel -eq 'High' | measure | select count -ExpandProperty count $RiskLevelCountCritical = $ExcessiveSharePrivsFinal | where RiskLevel -eq 'Critical' | measure | select count -ExpandProperty count + # Create table for ACEs page + $AceTableRows = $ExcessiveSharePrivsFinal | + foreach { + + # Risk Level + $AceRowRiskScore = $_.RiskScore + $AceRowRiskLevel = $_.RiskLevel + + # Read + $AceRowHasRead = $_.HasRead + + # Write + $AceRowHasWrite = $_.HasWrite + + # HR + $AceRowHasHR = $_.HasHR + + # RCE + $AceRowHasRCE = $_.HasRCE + + # Has sesntive secrests + $AceRowHasSecrets = $_.HasSecrets + + # Has sesntive data + $AceRowHasIF = $_.HasIF + + # Computer + $AceRowComputer = $_.ComputerName + + # Share Name + $AceRowShareName = $_.ShareName + + # Share Path + $AceRowSharePath = $_.SharePath + + # ACE + $AceRowACE = $_.FileSystemRights + + # Identity + $AceRowIdentity = $_.IdentityReference + + # Share Owner + $AceRowShareOwner = $_.ShareOwner + + # Created + $AceRowCreated = $_. CreationDate + + # Modified + $AceRowModified = $_.LastModifiedDate + + # Files + $AceRowFilecount = $_.FileCount + $AceRowFileList = $_.FileList + + $AceRow = @" + + $AceRowRiskScore $AceRowRiskLevel + $AceRowComputer + $AceRowShareName + $AceRowSharePath + $AceRowACE + $AceRowIdentity + $AceRowShareOwner + $AceRowCreated + $AceRowModified + + +
+ $AceRowFileList +
+ + +"@ + # Return row + $AceRow + } + + # ---------------------------------------------------------------------- # Create Computer Insight Summary Information & Table Rows # ---------------------------------------------------------------------- @@ -1771,14 +1849,7 @@ function Analyze-HuntSMBShares if($RiskLevelFileListGroupResult -eq "Medium" ){$RiskLevelFolderGroupCountMedium = $RiskLevelFolderGroupCountMedium + 1} if($RiskLevelFileListGroupResult -eq "High" ){$RiskLevelFolderGroupCountHigh = $RiskLevelFolderGroupCountHigh + 1} if($RiskLevelFileListGroupResult -eq "Critical"){$RiskLevelFolderGroupCountCritical = $RiskLevelFolderGroupCountCritical + 1} - } - - # select all interance - - # ---------------------------------------------------------------------- - # Create ACL Summary Information - # ---------------------------------------------------------------------- - # TBD + } # ---------------------------------------------------------------------- # Create Timeline Reports @@ -3887,7 +3958,7 @@ $NewHtmlReport = @" display:block; margin:10px; margin-bottom:20px; - --border-radius: 10px; + border-radius: 3px; } .card:hover{ @@ -3968,7 +4039,9 @@ $NewHtmlReport = @" border-bottom:1px solid #ccc; --border-bottom-right-radius: 10px; --border-bottom-left-radius: 10px; - } + border-bottom-left-radius: 3px; + border-bottom-right-radius: 3px; + } .cardbarouter{ background:#d9d7d7; @@ -4402,15 +4475,12 @@ input[type="checkbox"]:checked::before {
- - - - - - + + - + + @@ -4418,8 +4488,8 @@ input[type="checkbox"]:checked::before { - - + +
@@ -4509,7 +4579,7 @@ input[type="checkbox"]:checked::before {
-

Excessive Share Privileges Dashboard

+

Results Overview

@@ -4530,7 +4600,7 @@ input[type="checkbox"]:checked::before { -->
- Computers + Computers
@@ -4589,7 +4659,7 @@ input[type="checkbox"]:checked::before {
- Shares + Shares
@@ -4648,7 +4718,7 @@ input[type="checkbox"]:checked::before {
- ACLs + ACLs
@@ -4718,7 +4788,7 @@ input[type="checkbox"]:checked::before { Below is a summary of number of share ACLs by risk level and a summary of file name counts that may contain passwords, sensitive data, or result in remote code execution. Click the titles for more detail.

- +
Share ACL Count by Risk Level
@@ -4879,6 +4949,99 @@ $ComputerCount computers were found in the $TargetDomain Active Directory domain
+ + + + + + + @@ -5783,7 +5946,7 @@ Below are some tips for getting started on prioritizing the remediation of share
-

HELP!

+

Scan Information

@@ -6050,6 +6213,95 @@ Invoke-HuntSMBShares -Threads 20 -RunSpaceTimeOut 10 -OutputDirectory c:\folder\ } + +// -------------------------- +// ACE Page: Risk Level chart +// -------------------------- + +// Initialize ApexCharts +const ChartAceRiskOptions = { + series: [{ + data: [$RiskLevelCountCritical, $RiskLevelCountHigh, $RiskLevelCountMedium, $RiskLevelCountLow] + }], + chart: { + type: 'bar', + height: 200 + }, + plotOptions: { + bar: { + borderRadius: 0, + borderRadiusApplication: 'end', + horizontal: true, + colors: { + backgroundBarColors: ['#e0e0e0'], + backgroundBarOpacity: 1, + ranges: [{ + from: 0, + to: 1000, + color: '#f08c41' + }] + } + } + }, + dataLabels: { + enabled: false + }, + grid: { + show: false + }, + xaxis: { + categories: ['Critical','High','Medium','Low'] + } +}; + +const ChartAceRisk = new ApexCharts(document.querySelector("#ChartAceRisk"), ChartAceRiskOptions); +ChartAceRisk.render(); + +// -------------------------- +// ACE Page: Chart - Interesting Files +// -------------------------- + +const datac = $IFCategoryListCount; +const categoriesc = $ChartCategoryCatDash; + +const ChartAcesIFOptions = { + series: [{ + data: datac + }], + chart: { + type: 'bar', + height: 200 + }, + plotOptions: { + bar: { + borderRadius: 0, + borderRadiusApplication: 'end', + horizontal: true, + colors: { + backgroundBarColors: ['#e0e0e0'], + backgroundBarOpacity: 1, + ranges: [{ + from: 0, + to: 1000, + color: '#f08c41' + }] + } + } + }, + dataLabels: { + enabled: false + }, + grid: { + show: false + }, + xaxis: { + categories: categoriesc, + } + }; + +const ChartAcesIF = new ApexCharts(document.querySelector("#ChartAcesIF"), ChartAcesIFOptions); +ChartAcesIF.render(); + // -------------------------- // Computers Page - Computers Found // -------------------------- @@ -6784,7 +7036,11 @@ applyFiltersAndSort('InterestingFileTable', 'filterInputIF', 'filterCounterIF', // Initialize computers table document.getElementById('computerfilterInput').addEventListener("keyup", () => applyFiltersAndSort('ComputersTable', 'computerfilterInput', 'computerfilterCounter', 'computerpagination')); -applyFiltersAndSort('ComputersTable', 'computerfilterInput', 'computerfilterCounter', 'computerpagination'); +applyFiltersAndSort('ComputersTable', 'computerfilterInput', 'computerfilterCounter', 'computerpagination'); + +// Initialize ace table +document.getElementById('acefilterInput').addEventListener("keyup", () => applyFiltersAndSort('aceTable', 'acefilterInput', 'acefilterCounter', 'acepagination')); +applyFiltersAndSort('aceTable', 'acefilterInput', 'acefilterCounter', 'acepagination'); // CSV export function function extractAndDownloadCSV(tableId, columnIndex) {