POWERHUNTSHARES
demo.local

Interesting Files

This section provides a list of files that may contain passwords or sensitive data, or may be abused for remote code execution.

Interesting Files Found
83 
(65 unique file names)
Loading...
Export   | Clear
File Count File Name Category File Paths
5 program files Binaries
\\demo.local\C$\program files
\\demo.local\C\program files
\\2012SERVERSCCM.demo.local\C$\program files
\\demo.local\ADMIN$\program files
\\2012SERVERSCCM.demo.local\ADMIN$\program files
3 program files (x86) Binaries
\\demo.local\C$\program files (x86)
\\demo.local\C\program files (x86)
\\2012SERVERSCCM.demo.local\C$\program files (x86)
3 system Secret
\\2012SERVERSCCM.demo.local\C$\system
\\demo.local\ADMIN$\system
\\2012SERVERSCCM.demo.local\ADMIN$\system
2 backup Backup
\\demo.local\C$\backup
\\demo.local\C\backup
2 bfsvc.exe Binaries
\\demo.local\ADMIN$\bfsvc.exe
\\2012SERVERSCCM.demo.local\ADMIN$\bfsvc.exe
2 explorer.exe Binaries
\\demo.local\ADMIN$\explorer.exe
\\2012SERVERSCCM.demo.local\ADMIN$\explorer.exe
2 helppane.exe Binaries
\\demo.local\ADMIN$\helppane.exe
\\2012SERVERSCCM.demo.local\ADMIN$\helppane.exe
2 downloaded program files Binaries
\\demo.local\ADMIN$\downloaded program files
\\2012SERVERSCCM.demo.local\ADMIN$\downloaded program files
2 regedit.exe Binaries
\\demo.local\ADMIN$\regedit.exe
\\2012SERVERSCCM.demo.local\ADMIN$\regedit.exe
2 splwow64.exe Binaries
\\demo.local\ADMIN$\splwow64.exe
\\2012SERVERSCCM.demo.local\ADMIN$\splwow64.exe
2 winhlp32.exe Binaries
\\demo.local\ADMIN$\winhlp32.exe
\\2012SERVERSCCM.demo.local\ADMIN$\winhlp32.exe
2 write.exe Binaries
\\demo.local\ADMIN$\write.exe
\\2012SERVERSCCM.demo.local\ADMIN$\write.exe
2 hh.exe Binaries
\\demo.local\ADMIN$\hh.exe
\\2012SERVERSCCM.demo.local\ADMIN$\hh.exe
1 unattend-base64.xml Secret
\\2012SERVERSCCM.demo.local\files\unattend-base64.xml
1 unattend-cleartext.xml Secret
\\2012SERVERSCCM.demo.local\files\unattend-cleartext.xml
1 sysprep.inf Secret
\\2012SERVERSCCM.demo.local\files\sysprep.inf
1 private.crt Secret
\\2012SERVERSCCM.demo.local\files\private.crt
1 sssd.conf Secret
\\2012SERVERSCCM.demo.local\files\sssd.conf
1 smb.conf Secret
\\2012SERVERSCCM.demo.local\files\smb.conf
1 krb5.conf Secret
\\2012SERVERSCCM.demo.local\files\krb5.conf
1 .htpasswd Secret
\\2012SERVERSCCM.demo.local\files\.htpasswd
1 .pgpass Secret
\\2012SERVERSCCM.demo.local\files\.pgpass
1 grub.conf Secret
\\2012SERVERSCCM.demo.local\files\grub.conf
1 .fetchmailrc Secret
\\2012SERVERSCCM.demo.local\files\.fetchmailrc
1 .git-credentials Secret
\\2012SERVERSCCM.demo.local\files\.git-credentials
1 .netrc Secret
\\2012SERVERSCCM.demo.local\files\.netrc
1 printers.xml Secret
\\2012SERVERSCCM.demo.local\files\printers.xml
1 remmina.pref Secret
\\2012SERVERSCCM.demo.local\files\remmina.pref
1 .remmina Secret
\\2012SERVERSCCM.demo.local\files\.remmina
1 en_sql_server_2014_developer_edition_x64_dvd_3940406.iso SystemImage
\\2012SERVERSCCM.demo.local\C$\en_sql_server_2014_developer_edition_x64_dvd_3940406.iso
1 mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso SystemImage
\\2012SERVERSCCM.demo.local\C$\mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso
1 grub.cfg Secret
\\2012SERVERSCCM.demo.local\files\grub.cfg
1 dbvis.xml Secret
\\2012SERVERSCCM.demo.local\files\dbvis.xml
1 services.xml Secret
\\2012SERVERSCCM.demo.local\files\services.xml
1 groups.xml Secret
\\2012SERVERSCCM.demo.local\files\groups.xml
1 context.xml Secret
\\2012SERVERSCCM.demo.local\files\context.xml
1 dbxdrivers.ini Secret
\\2012SERVERSCCM.demo.local\files\dbxdrivers.ini
1 pureftpd.passwd Secret
\\2012SERVERSCCM.demo.local\files\pureftpd.passwd
1 config.xml Secret
\\2012SERVERSCCM.demo.local\files\config.xml
1 jboss-cli.xml Secret
\\2012SERVERSCCM.demo.local\files\jboss-cli.xml
1 machine.config Secret
\\2012SERVERSCCM.demo.local\files\machine.config
1 startup-config.txt Secret
\\2012SERVERSCCM.demo.local\files\startup-config.txt
1 running-config.txt Secret
\\2012SERVERSCCM.demo.local\files\running-config.txt
1 my.cnf Secret
\\2012SERVERSCCM.demo.local\files\my.cnf
1 my.key Secret
\\2012SERVERSCCM.demo.local\files\my.key
1 php.ini Secret
\\2012SERVERSCCM.demo.local\files\php.ini
1 putty.reg Secret
\\2012SERVERSCCM.demo.local\files\putty.reg
1 server.xml Secret
\\2012SERVERSCCM.demo.local\files\server.xml
1 drives.xml Secret
\\2012SERVERSCCM.demo.local\files\drives.xml
1 shadow Secret
\\2012SERVERSCCM.demo.local\files\shadow
1 tnsnames.ora Secret
\\2012SERVERSCCM.demo.local\files\tnsnames.ora
1 tomcat-users.xml Secret
\\2012SERVERSCCM.demo.local\files\tomcat-users.xml
1 sitemanager.xml Secret
\\2012SERVERSCCM.demo.local\files\sitemanager.xml
1 variables.dat Secret
\\2012SERVERSCCM.demo.local\files\variables.dat
1 setting.ini Secret
\\2012SERVERSCCM.demo.local\files\setting.ini
1 winscp.ini Secret
\\2012SERVERSCCM.demo.local\files\winscp.ini
1 wp-config.php Secret
\\2012SERVERSCCM.demo.local\files\wp-config.php
1 app.config Secret
\\2012SERVERSCCM.demo.local\files\app.config
1 web.config Secret
\\2012SERVERSCCM.demo.local\files\web.config
1 example.dtsx Secret
\\2012SERVERSCCM.demo.local\files\example.dtsx
1 example.rdp Secret
\\2012SERVERSCCM.demo.local\files\example.rdp
1 vnc.ini Secret
\\2012SERVERSCCM.demo.local\files\vnc.ini
1 scheduledtasks.xml Secret
\\2012SERVERSCCM.demo.local\files\scheduledtasks.xml
1 standalone.xml Secret
\\2012SERVERSCCM.demo.local\files\standalone.xml
1 bootstrap.ini Secret
\\2012SERVERSCCM.demo.local\files\bootstrap.ini

Summary Report

Testing was conducted between 11/07/2024 08:08:31 and 11/07/2024 08:10:31 to identify network shares configured with excessive privileges hosted on computers joined to the demo.local domain. In total, 13 critical, 6 high, 6 medium, and 22 low risk ACE (Access Control Entry) configurations were discovered across 16 shares, hosted by 2 computers in the demo.local Active Directory domain. Overall, 83 interesting files were found accessible to all domain users that could potentially lead to unauthorized data access or remote code execution. The affected shares were found hosting 53 files that may contain passwords and 0 files that may contain sensitive data. 143 credentials were recovered from 50 of the discovered 53 secrets files.

The section provides a summary of the affected assets, findings, data exposure, share creation timelines, peer comparison and general recommendations.
Finding Exposure Summary
Critical
13
 findings
High
6
 findings
Medium
6
 findings
Low
22
 findings
More details available in the  NetworksComputersShares, and   ACEs  sections.
Data Exposure Summary
Interesting
83
 files found
Sensitive
0
 files found
Secrets
53
 files found
Extracted
143
 secrets (50 files)
More details are available in the  Extracted Secrets, and   Interesting Files  sections.
Asset Exposure Summary
47 ACL entries, on 16 shares, hosted by 2 computers were found configured with excessive privileges on the demo.local domain. In this environment, we observed a total of 19 application instances, with 4 unique application names primarily focused on operating systems, configuration management, virtualization, and security. The Windows Operating System had the highest count with 10 instances (52.63% of the total), followed by Microsoft System Center Configuration Manager with 3 instances (15.79% of the total).
Networks
1
 affected
Computers
2
 affected
Shares
16
 affected
ACEs
47
 affected
Note: Application fingerprints were generated using an experimental version of the LLM-based application fingerprinting function. As a result, some application classifications may not be accurate.
Affected Asset Peer Comparison
Below is a comaprison between the percent of affected assets in this environment and the average percent of affected assets observed in other environments. The percentage is calculated based on the total number of live assets discovered for each asset type. Based on the volume of ACEs configured with excessive privileges, this is environment was less secure compared to the average.
Share Creation Timeline
Below is a time series chart to help provide a sense of when shares were created and at what point critical and high risk shares were introduced into the environment. By reading the chart left to right, you can see that shares were created in this environment between 10/27/1991 and 09/25/2024. You can zoom into any section of the chart by clicking or using the chart controls in the upper right hand corner of the chart. Shares configured with critical risk ACEs were created between 07/26/2012 and 07/26/2012. Shares configured with high risk ACEs were created between 07/26/2012 and 08/05/2020. The red and purple trend lines reflect the cumulative number of critical and high risk shares in the environment so you can easily observe when/if they were introduced. The chart also includes two horizontal lines. The "avg" line shows the average number of created shares and everything above the "+2 Std Dev" line is considered anomolous in the context of this report. 1 anomalies were found that represent days when share creation counts were twice the standard deviation.
Remediation & Prioritization Recommendations
Remediate share ACEs by risk level, starting with critical and high risks. Review the share creation timeline and share name details from other sections for additional context. Consider remediating mutliple ACEs at one time based on natural share groupings to reduce the number of remediation tasks.

Group Examples:
  • Group ACE remediation tasks by folder groups, which contain exactly the same file listing.
  • Group ACE remediation tasks by share names with a high similarity scores.
Remediating ACEs by group may reduce remediation tasks by as much as 83% for this environment. The chart below shows the task savings.
More details are available in the  Folder Group, and   Share Names  sections.

Computers

This section provides information for computers hosting shares configured with excessive privileges. 13 computers were found in the demo.local Active Directory domain, 2 responded to ping requests, 2 had port 445 open, and 2 were found hosting shares configured with excessive privileges.

Affected Computers
Loading...
Export   | Clear
Computer
Name  
Computer Name
is the name of the computer.
Operating
System
OS
is the operating system of the computer.
Risk
Level  
Risk Level
relfects the exposure of credentials and sensitive data.
Share
Count  
Share Count
is the number of shares
hosted on the same computer.
Interesting
Files  
Interesting Files
are filenames that
may be sensitive.
demo.local Windows Server 2012 Standard 22 Critical
\\demo.local\C$
\\demo.local\backup
\\demo.local\inetpub
\\demo.local\sccm
\\demo.local\logs
\\demo.local\sql
\\demo.local\C
\\demo.local\apps
\\demo.local\wwwroot
\\demo.local\ADMIN$
system
backup
backup
bfsvc.exe
explorer.exe
helppane.exe
hh.exe
regedit.exe
splwow64.exe
winhlp32.exe
write.exe
program files
program files
program files
program files (x86)
program files (x86)
downloaded program files
2012SERVERSCCM.demo.local Windows Server 2012 Standard 24 Critical
\\2012SERVERSCCM.demo.local\C$
\\2012SERVERSCCM.demo.local\ADMIN$
\\2012SERVERSCCM.demo.local\CtxSTShare
\\2012SERVERSCCM.demo.local\files
\\2012SERVERSCCM.demo.local\REMINST
\\2012SERVERSCCM.demo.local\SophosUpdate
bootstrap.ini
context.xml
dbxdrivers.ini
pureftpd.passwd
config.xml
jboss-cli.xml
machine.config
startup-config.txt
running-config.txt
my.cnf
my.key
php.ini
putty.reg
system
system
server.xml
shadow
standalone.xml
tnsnames.ora
tomcat-users.xml
sitemanager.xml
variables.dat
setting.ini
winscp.ini
wp-config.php
app.config
web.config
example.dtsx
example.rdp
vnc.ini
scheduledtasks.xml
groups.xml
drives.xml
services.xml
printers.xml
unattend-base64.xml
unattend-cleartext.xml
sysprep.inf
private.crt
sssd.conf
smb.conf
krb5.conf
.htpasswd
.pgpass
grub.cfg
grub.conf
.fetchmailrc
.git-credentials
.netrc
dbvis.xml
remmina.pref
.remmina
en_sql_server_2014_developer_edition_x64_dvd_3940406.iso
mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso
bfsvc.exe
explorer.exe
helppane.exe
hh.exe
regedit.exe
splwow64.exe
winhlp32.exe
write.exe
program files
program files
program files (x86)
downloaded program files

Identities

The section provides the affected identities.3 identities were discovered across shares in the demo.local Active Directory domain. 2 were owners and 1 were assigned privileges.

Note: Within the context of this report, all read and write access the "Everyone", "Authenticated Users", "BUILTIN\Users", "Domain Users", or "Domain Computers" groups are considered excessive privileges, because all provide domain users access to the affected shares due to privilege inheritance.

Affected Identities
Identities Assigned Ownership
Identities Assigned Privileges
Loading...
Export   | Clear
Identity Owned Shares Accessible Shares Low Risk Shares Medium Risk Shares High Risk Shares Critical Risk Shares
BUILTIN\Administrators 34
0 0 0 0
BUILTIN\Users 0
\\demo.local\C$
\\demo.local\backup
\\demo.local\inetpub
\\demo.local\sccm
\\demo.local\logs
\\demo.local\sql
\\demo.local\C
\\demo.local\apps
\\demo.local\wwwroot
\\2012SERVERSCCM.demo.local\C$
\\demo.local\ADMIN$
\\2012SERVERSCCM.demo.local\ADMIN$
\\2012SERVERSCCM.demo.local\CtxSTShare
\\2012SERVERSCCM.demo.local\files
\\2012SERVERSCCM.demo.local\REMINST
\\2012SERVERSCCM.demo.local\SophosUpdate
 8 2 4 7
NT SERVICE\TrustedInstaller 13
0 0 0 0

Insecure ACEs

This section provides the ACE (access control entries) configured with excessive privileges found in the demo.local Active Directory domain.

Affected ACEs
47  
Loading...
Export   | Clear
Risk Level Computer Share Name FileSystemRight Identity Share Owner Creation Date Last Modified Files
20 Critical demo.local C$
\\demo.local\C$
AppendData/AddSubdirectory BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:32:51 AM 11/6/2024 5:26:55 PM
apps
backup
inetpub
logs
PerfLogs
Program Files
Program Files (x86)
sccm
sql
Users
Windows
wwwroot
22 Critical demo.local C$
\\demo.local\C$
WriteData/AddFile BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:32:51 AM 11/6/2024 5:26:55 PM
apps
backup
inetpub
logs
PerfLogs
Program Files
Program Files (x86)
sccm
sql
Users
Windows
wwwroot
18 High demo.local C$
\\demo.local\C$
Read BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:32:51 AM 11/6/2024 5:26:55 PM
apps
backup
inetpub
logs
PerfLogs
Program Files
Program Files (x86)
sccm
sql
Users
Windows
wwwroot
1 Low demo.local backup
\\demo.local\backup
Read BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

3 Low demo.local backup
\\demo.local\backup
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

3 Low demo.local backup
\\demo.local\backup
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

17 High demo.local inetpub
\\demo.local\inetpub
Read BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

19 High demo.local inetpub
\\demo.local\inetpub
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

21 Critical demo.local inetpub
\\demo.local\inetpub
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

1 Low demo.local sccm
\\demo.local\sccm
Read BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

3 Low demo.local sccm
\\demo.local\sccm
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

3 Low demo.local sccm
\\demo.local\sccm
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

1 Low demo.local logs
\\demo.local\logs
Read BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

3 Low demo.local logs
\\demo.local\logs
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

3 Low demo.local logs
\\demo.local\logs
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

1 Low demo.local sql
\\demo.local\sql
Read BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

3 Low demo.local sql
\\demo.local\sql
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

3 Low demo.local sql
\\demo.local\sql
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

20 Critical demo.local C
\\demo.local\C
AppendData/AddSubdirectory BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:32:51 AM 11/6/2024 5:26:55 PM
apps
backup
inetpub
logs
PerfLogs
Program Files
Program Files (x86)
sccm
sql
Users
Windows
wwwroot
22 Critical demo.local C
\\demo.local\C
WriteData/AddFile BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:32:51 AM 11/6/2024 5:26:55 PM
apps
backup
inetpub
logs
PerfLogs
Program Files
Program Files (x86)
sccm
sql
Users
Windows
wwwroot
18 High demo.local C
\\demo.local\C
Read BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:32:51 AM 11/6/2024 5:26:55 PM
apps
backup
inetpub
logs
PerfLogs
Program Files
Program Files (x86)
sccm
sql
Users
Windows
wwwroot
1 Low demo.local apps
\\demo.local\apps
Read BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

3 Low demo.local apps
\\demo.local\apps
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

3 Low demo.local apps
\\demo.local\apps
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 7/26/2012 6:00:00 PM 7/26/2012 6:00:00 PM

17 High demo.local wwwroot
\\demo.local\wwwroot
Read BUILTIN\Users BUILTIN\Administrators 8/5/2020 6:00:00 PM 8/5/2020 6:00:00 PM

19 High demo.local wwwroot
\\demo.local\wwwroot
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 8/5/2020 6:00:00 PM 8/5/2020 6:00:00 PM

21 Critical demo.local wwwroot
\\demo.local\wwwroot
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 8/5/2020 6:00:00 PM 8/5/2020 6:00:00 PM

22 Critical 2012SERVERSCCM.demo.local C$
\\2012SERVERSCCM.demo.local\C$
AppendData/AddSubdirectory BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:32:51 AM 11/6/2024 6:35:55 AM
CTXProfiles
CtxSTShare
files
inetpub
PerfLogs
Program Files
Program Files (x86)
REMINST
SophosUpdate
Users
Windows
en_sql_server_2014_developer_edition_x64_dvd_3940406.iso
mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso
sccm-key.txt
24 Critical 2012SERVERSCCM.demo.local C$
\\2012SERVERSCCM.demo.local\C$
WriteData/AddFile BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:32:51 AM 11/6/2024 6:35:55 AM
CTXProfiles
CtxSTShare
files
inetpub
PerfLogs
Program Files
Program Files (x86)
REMINST
SophosUpdate
Users
Windows
en_sql_server_2014_developer_edition_x64_dvd_3940406.iso
mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso
sccm-key.txt
20 Critical 2012SERVERSCCM.demo.local C$
\\2012SERVERSCCM.demo.local\C$
Read BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:32:51 AM 11/6/2024 6:35:55 AM
CTXProfiles
CtxSTShare
files
inetpub
PerfLogs
Program Files
Program Files (x86)
REMINST
SophosUpdate
Users
Windows
en_sql_server_2014_developer_edition_x64_dvd_3940406.iso
mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso
sccm-key.txt
20 Critical demo.local ADMIN$
\\demo.local\ADMIN$
GenericExecute,GenericRead BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:37:59 AM 5/8/2024 9:32:57 PM
ADAM
ADWS
AppCompat
apppatch
assembly
AUInstallAgent
Boot
Branding
CbsTemp
Cursors
debug
DesktopTileResources
diagnostics
DigitalLocker
Downloaded Program Files
drivers
en-US
Fonts
Globalization
Help
IME
Inf
L2Schemas
LiveKernelReports
Logs
media
Microsoft.NET
ModemLogs
NTDS
Offline Web Pages
Panther
PLA
PolicyDefinitions
Provisioning
Registration
RemotePackages
rescache
Resources
SchCache
schemas
security
ServiceProfiles
servicing
Setup
SoftwareDistribution
Speech
System
System32
SYSVOL
SysWOW64
TAPI
Tasks
Temp
ToastData
tracing
Vss
Web
WinSxS
bfsvc.exe
bootstat.dat
DtcInstall.log
explorer.exe
HelpPane.exe
hh.exe
mib.bin
PFRO.log
regedit.exe
ServerStandard.xml
ServerWeb.xml
setupact.log
setuperr.log
splwow64.exe
system.ini
vmgcoinstall.log
win.ini
WindowsUpdate.log
winhlp32.exe
write.exe
20 Critical demo.local ADMIN$
\\demo.local\ADMIN$
Read BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:37:59 AM 5/8/2024 9:32:57 PM
ADAM
ADWS
AppCompat
apppatch
assembly
AUInstallAgent
Boot
Branding
CbsTemp
Cursors
debug
DesktopTileResources
diagnostics
DigitalLocker
Downloaded Program Files
drivers
en-US
Fonts
Globalization
Help
IME
Inf
L2Schemas
LiveKernelReports
Logs
media
Microsoft.NET
ModemLogs
NTDS
Offline Web Pages
Panther
PLA
PolicyDefinitions
Provisioning
Registration
RemotePackages
rescache
Resources
SchCache
schemas
security
ServiceProfiles
servicing
Setup
SoftwareDistribution
Speech
System
System32
SYSVOL
SysWOW64
TAPI
Tasks
Temp
ToastData
tracing
Vss
Web
WinSxS
bfsvc.exe
bootstat.dat
DtcInstall.log
explorer.exe
HelpPane.exe
hh.exe
mib.bin
PFRO.log
regedit.exe
ServerStandard.xml
ServerWeb.xml
setupact.log
setuperr.log
splwow64.exe
system.ini
vmgcoinstall.log
win.ini
WindowsUpdate.log
winhlp32.exe
write.exe
20 Critical 2012SERVERSCCM.demo.local ADMIN$
\\2012SERVERSCCM.demo.local\ADMIN$
GenericExecute,GenericRead BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:37:59 AM 9/24/2024 4:16:42 PM
AppCompat
apppatch
assembly
AUInstallAgent
Boot
Branding
CbsTemp
Cursors
debug
DesktopTileResources
diagnostics
DigitalLocker
Downloaded Program Files
drivers
en-US
Fonts
Globalization
Help
IME
Inf
L2Schemas
LiveKernelReports
Logs
media
Microsoft.NET
ModemLogs
Offline Web Pages
Panther
PLA
PolicyDefinitions
Provisioning
Registration
RemotePackages
rescache
Resources
SchCache
schemas
security
ServiceProfiles
servicing
Setup
SoftwareDistribution
Speech
System
System32
SysWOW64
TAPI
Tasks
Temp
ToastData
tracing
Vss
Web
WinSxS
bfsvc.exe
bootstat.dat
DtcInstall.log
explorer.exe
HelpPane.exe
hh.exe
iis.log
mib.bin
PFRO.log
regedit.exe
ServerStandard.xml
ServerWeb.xml
setupact.log
setuperr.log
splwow64.exe
system.ini
vmgcoinstall.log
win.ini
WindowsUpdate.log
winhlp32.exe
write.exe
20 Critical 2012SERVERSCCM.demo.local ADMIN$
\\2012SERVERSCCM.demo.local\ADMIN$
Read BUILTIN\Users NT SERVICE\TrustedInstaller 7/26/2012 12:37:59 AM 9/24/2024 4:16:42 PM
AppCompat
apppatch
assembly
AUInstallAgent
Boot
Branding
CbsTemp
Cursors
debug
DesktopTileResources
diagnostics
DigitalLocker
Downloaded Program Files
drivers
en-US
Fonts
Globalization
Help
IME
Inf
L2Schemas
LiveKernelReports
Logs
media
Microsoft.NET
ModemLogs
Offline Web Pages
Panther
PLA
PolicyDefinitions
Provisioning
Registration
RemotePackages
rescache
Resources
SchCache
schemas
security
ServiceProfiles
servicing
Setup
SoftwareDistribution
Speech
System
System32
SysWOW64
TAPI
Tasks
Temp
ToastData
tracing
Vss
Web
WinSxS
bfsvc.exe
bootstat.dat
DtcInstall.log
explorer.exe
HelpPane.exe
hh.exe
iis.log
mib.bin
PFRO.log
regedit.exe
ServerStandard.xml
ServerWeb.xml
setupact.log
setuperr.log
splwow64.exe
system.ini
vmgcoinstall.log
win.ini
WindowsUpdate.log
winhlp32.exe
write.exe
3 Low 2012SERVERSCCM.demo.local CtxSTShare
\\2012SERVERSCCM.demo.local\CtxSTShare
Read BUILTIN\Users BUILTIN\Administrators 10/27/1991 11:01:00 PM 10/27/1991 11:01:00 PM
testfile2.txt.txt
5 Medium 2012SERVERSCCM.demo.local CtxSTShare
\\2012SERVERSCCM.demo.local\CtxSTShare
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 10/27/1991 11:01:00 PM 10/27/1991 11:01:00 PM
testfile2.txt.txt
5 Medium 2012SERVERSCCM.demo.local CtxSTShare
\\2012SERVERSCCM.demo.local\CtxSTShare
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 10/27/1991 11:01:00 PM 10/27/1991 11:01:00 PM
testfile2.txt.txt
6 Medium 2012SERVERSCCM.demo.local files
\\2012SERVERSCCM.demo.local\files
Read BUILTIN\Users BUILTIN\Administrators 9/25/2024 7:31:43 AM 10/7/2024 7:58:23 AM
things
.fetchmailrc
.git-credentials
.htpasswd
.netrc
.pgpass
.remmina
app.config
bootstrap.ini
config.xml
context.xml
DataSources.xml
dbvis.xml
dbxdrivers.ini
Drives.xml
example.dtsx
example.rdp
Groups.xml
grub.cfg
grub.conf
jboss-cli.xml
krb5.conf
machine.config
my.cnf
my.key
php.ini
Printers.xml
private.crt
pureftpd.passwd
putty.reg
remmina.pref
running-config.txt
ScheduledTasks.xml
server.xml
Services.xml
setting.ini
shadow
SiteManager.xml
smb.conf
sssd.conf
standalone.xml
startup-config.txt
sysprep.inf
tnsnames.ora
tomcat-users.xml
unattend-base64.xml
unattend-cleartext.xml
variables.dat
vnc.ini
web.config
WinSCP.ini
wp-config.php
6 Medium 2012SERVERSCCM.demo.local files
\\2012SERVERSCCM.demo.local\files
Read BUILTIN\Users BUILTIN\Administrators 9/25/2024 7:31:43 AM 10/7/2024 7:58:23 AM
things
.fetchmailrc
.git-credentials
.htpasswd
.netrc
.pgpass
.remmina
app.config
bootstrap.ini
config.xml
context.xml
DataSources.xml
dbvis.xml
dbxdrivers.ini
Drives.xml
example.dtsx
example.rdp
Groups.xml
grub.cfg
grub.conf
jboss-cli.xml
krb5.conf
machine.config
my.cnf
my.key
php.ini
Printers.xml
private.crt
pureftpd.passwd
putty.reg
remmina.pref
running-config.txt
ScheduledTasks.xml
server.xml
Services.xml
setting.ini
shadow
SiteManager.xml
smb.conf
sssd.conf
standalone.xml
startup-config.txt
sysprep.inf
tnsnames.ora
tomcat-users.xml
unattend-base64.xml
unattend-cleartext.xml
variables.dat
vnc.ini
web.config
WinSCP.ini
wp-config.php
8 Medium 2012SERVERSCCM.demo.local files
\\2012SERVERSCCM.demo.local\files
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 9/25/2024 7:31:43 AM 10/7/2024 7:58:23 AM
things
.fetchmailrc
.git-credentials
.htpasswd
.netrc
.pgpass
.remmina
app.config
bootstrap.ini
config.xml
context.xml
DataSources.xml
dbvis.xml
dbxdrivers.ini
Drives.xml
example.dtsx
example.rdp
Groups.xml
grub.cfg
grub.conf
jboss-cli.xml
krb5.conf
machine.config
my.cnf
my.key
php.ini
Printers.xml
private.crt
pureftpd.passwd
putty.reg
remmina.pref
running-config.txt
ScheduledTasks.xml
server.xml
Services.xml
setting.ini
shadow
SiteManager.xml
smb.conf
sssd.conf
standalone.xml
startup-config.txt
sysprep.inf
tnsnames.ora
tomcat-users.xml
unattend-base64.xml
unattend-cleartext.xml
variables.dat
vnc.ini
web.config
WinSCP.ini
wp-config.php
8 Medium 2012SERVERSCCM.demo.local files
\\2012SERVERSCCM.demo.local\files
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 9/25/2024 7:31:43 AM 10/7/2024 7:58:23 AM
things
.fetchmailrc
.git-credentials
.htpasswd
.netrc
.pgpass
.remmina
app.config
bootstrap.ini
config.xml
context.xml
DataSources.xml
dbvis.xml
dbxdrivers.ini
Drives.xml
example.dtsx
example.rdp
Groups.xml
grub.cfg
grub.conf
jboss-cli.xml
krb5.conf
machine.config
my.cnf
my.key
php.ini
Printers.xml
private.crt
pureftpd.passwd
putty.reg
remmina.pref
running-config.txt
ScheduledTasks.xml
server.xml
Services.xml
setting.ini
shadow
SiteManager.xml
smb.conf
sssd.conf
standalone.xml
startup-config.txt
sysprep.inf
tnsnames.ora
tomcat-users.xml
unattend-base64.xml
unattend-cleartext.xml
variables.dat
vnc.ini
web.config
WinSCP.ini
wp-config.php
1 Low 2012SERVERSCCM.demo.local REMINST
\\2012SERVERSCCM.demo.local\REMINST
Read BUILTIN\Users BUILTIN\Administrators 4/8/2014 11:01:00 PM 4/8/2014 11:01:00 PM

3 Low 2012SERVERSCCM.demo.local REMINST
\\2012SERVERSCCM.demo.local\REMINST
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 4/8/2014 11:01:00 PM 4/8/2014 11:01:00 PM

3 Low 2012SERVERSCCM.demo.local REMINST
\\2012SERVERSCCM.demo.local\REMINST
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 4/8/2014 11:01:00 PM 4/8/2014 11:01:00 PM

2 Low 2012SERVERSCCM.demo.local SophosUpdate
\\2012SERVERSCCM.demo.local\SophosUpdate
Read BUILTIN\Users BUILTIN\Administrators 9/1/2001 11:01:00 PM 9/1/2001 11:01:00 PM
testfile.txt.txt
4 Low 2012SERVERSCCM.demo.local SophosUpdate
\\2012SERVERSCCM.demo.local\SophosUpdate
AppendData/AddSubdirectory BUILTIN\Users BUILTIN\Administrators 9/1/2001 11:01:00 PM 9/1/2001 11:01:00 PM
testfile.txt.txt
4 Low 2012SERVERSCCM.demo.local SophosUpdate
\\2012SERVERSCCM.demo.local\SophosUpdate
WriteData/AddFile BUILTIN\Users BUILTIN\Administrators 9/1/2001 11:01:00 PM 9/1/2001 11:01:00 PM
testfile.txt.txt

Computer Summary

This section provides a summary of the domain computers that were targeted, connectivity to them, and the number that are hosting potentially insecure SMB shares.

Description Percent Chart Percent Computers Details
DISCOVERED
100.00% 13 CSV | HTML
PING RESPONSE
15.38% 2 CSV | HTML
PORT 445 OPEN
15.38% 2 CSV | HTML
HOST SHARE
15.38% 2 CSV | HTML
HOST NON-DEFAULT SHARE
15.38% 2 CSV | HTML
HOST POTENTIALLY INSECURE SHARE
15.38% 2 CSV | HTML
HOST READABLE SHARE
15.38% 2 CSV | HTML
HOST WRITEABLE SHARE
15.38% 2 CSV | HTML
HOST HIGH RISK SHARE
15.38% 2 CSV | HTML

Share Summary

Below is a summary of the SMB shares discovered on domain computers that may provide excessive privileges to standard domain users.
Description Percent Chart Percent Shares Details
DISCOVERED
100.00% 21 CSV | HTML
NON-DEFAULT
90.48% 19 CSV | HTML
POTENTIALLY EXCESSIVE
76.19% 16 CSV | HTML
READ ACCESS
76.19% 16 CSV | HTML
WRITE ACCESS
66.67% 14 CSV | HTML
HIGH RISK
33.33% 7 CSV | HTML
Note: All Windows systems have a c$ and admin$ share configured by default. A a result, the number of visible shares should be (at a minimum) double the number of the computers found with port 445 open. In this case, 2 computers were found with port 445 open, so we would expect to discover approximetly 4 or more shares.

Share ACL Entry Summary

Below is a summary of the SMB share ACL entries discovered on domain computers that may provide excessive privileges to standard domain users.
Description Percent Chart Percent ACLs Details
DISCOVERED
100.00% 127 CSV | HTML
NON-DEFAULT
100.00% 127 CSV | HTML
POTENTIALLY EXCESSIVE
37.01% 47 CSV | HTML
READ ACCESS
14.96% 19 CSV | HTML
WRITE ACCESS
11.02% 14 CSV | HTML
HIGH RISK
14.96% 19 CSV | HTML

Group ACL Summary

In the context of this report, excessive read and write share permissions have been defined as any network share ACL containing an explicit entry for the "Everyone", "Authenticated Users", "BUILTIN\Users", "Domain Users", or "Domain Computers" groups. All provide domain users access to the affected shares due to privilege inheritance. Below is a summary of the exposure associated with each of those groups.
Name Excessive ACL Entries Affected Computers Affected Shares Affected ACLs
Everyone
Read
Write
High Risk
: 0
: 0
: 0
0.00% (0 of 13)
0.00% (0 of 21)
0.00% (0 of 127)
BUILTIN\Users
Read
Write
High Risk
: 19
: 14
: 19
37.01% (2 of 13)
76.19% (16 of 21)
15.38% (47 of 127)
Authenticated Users
Read
Write
High Risk
: 0
: 0
: 0
0.00% (0 of 13)
0.00% (0 of 21)
0.00% (0 of 127)
Domain Users
Read
Write
High Risk
: 0
: 0
: 0
0.00% (0 of 13)
0.00% (0 of 21)
0.00% (0 of 127)
Domain Computers
Read
Write
High Risk
: 0
: 0
: 0
0.00% (0 of 13)
0.00% (0 of 21)
0.00% (0 of 127)

Share Names

This section provide a summary and list of the affected shares grouped by name. 21 shares were discovered across 2 live computers in the demo.local Active Directory domain. 16 of those shares were found configured with excessive privileges across 2 computers.

Affected Shares Names
16  
(14 unique names)
Loading...
Export   | Clear
Quick Filters:
Share
Count  
Share Count
is the number of unique shares with
the same name.
Share
Name  
Share Name
is the name of a
collection of share
with the same name.
Risk
Level  
Risk Level
relfects the exposure of credentials and sensitive data.
Share
Similarity  
Share Similarity
scores reflect how likely it is that the shares are related to each other.
Folder
Groups  
Folder Groups
are groups of shares
that have the same
name and file listing.
Common
Files  
Common Files
are file names that
exist in 10% or more
of the file groups.
Interesting
Files  
Interesting Files
are filenames that
may be sensitive.
\\demo.local\C$
\\2012SERVERSCCM.demo.local\C$
Sample Description
Default share

Share Context Guess
The C$ may be associated with the Windows Admin Share. An administrative share for remote management. C$ is a default administrative share in Windows. C:\Windows\System32 is the expected local path.

LLM Application Guess
Windows Operating System, Microsoft System Center Configuration Manager

View in ShareGraph

Affected Assets
Computers: 2 of 13 (15.38%)
Shares: 2 of 21 (9.52%)
ACLs: 6 of 127 (4.72%)


Timeline Context
First Created:  07/26/2012
Last Created:  07/26/2012
Last Mod:  11/06/2024


Owners (1)
NT SERVICE\TrustedInstaller
Risk Summary
HE: 100% (2)
Write: 100% (2)
Read: 100% (2)
Stale: 100% (2)
Empty: 0% (0)
Default: Yes
Sensitive: 0
Secrets: 1
Final Score: : 84%
File Name Coverage: 100%
Folder Group Coverage: 40%
Share Property Coverage: 40%

---
File Name Metrics
FG Coverage  10%: 1
FG Coverage  20%: 1
FG Coverage  30%: 1
FG Coverage  40%: 1
FG Coverage  51%: 1
FG Coverage  60%: 1
FG Coverage  70%: 1
FG Coverage  80%: 1
FG Coverage  90%: 1
FG Coverage 100%: 1


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 0
1 FG  60%/shares: 0
1 FG  70%/shares: 0
1 FG  80%/shares: 0
1 FG  90%/shares: 0
1 FG 100%/shares: 0


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 0.50


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 0.50
All Descriptions Match: 1
apps
backup
inetpub
logs
PerfLogs
Program Files
Program Files (x86)
sccm
sql
Users
Windows
wwwroot
CTXProfiles
CtxSTShare
files
inetpub
PerfLogs
Program Files
Program Files (x86)
REMINST
SophosUpdate
Users
Windows
en_sql_server_2014_developer_edition_x64_dvd_3940406.iso
mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso
sccm-key.txt
Users 100% (2)
inetpub 100% (2)
PerfLogs 100% (2)
Program Files 100% (2)
Program Files (x86) 100% (2)
Windows 100% (2)
system
en_sql_server_2014_developer_edition_x64_dvd_3940406.iso
mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso
backup
program files
program files (x86)
\\demo.local\ADMIN$
\\2012SERVERSCCM.demo.local\ADMIN$
Sample Description
Remote Admin

Share Context Guess
The ADMIN$ may be associated with the Windows Admin Share. An administrative share for remote management. ADMIN$ is a default administrative share in Windows C:\Windows\ is the expected local path.

LLM Application Guess
Microsoft Windows Operating System, Microsoft Windows

View in ShareGraph

Affected Assets
Computers: 2 of 13 (15.38%)
Shares: 2 of 21 (9.52%)
ACLs: 4 of 127 (3.15%)


Timeline Context
First Created:  07/26/2012
Last Created:  07/26/2012
Last Mod:  09/24/2024


Owners (1)
NT SERVICE\TrustedInstaller
Risk Summary
HE: 100% (2)
Write: 0% (0)
Read: 100% (2)
Stale: 100% (2)
Empty: 0% (0)
Default: Yes
Sensitive: 0
Secrets: 2
Final Score: : 84%
File Name Coverage: 100%
Folder Group Coverage: 40%
Share Property Coverage: 40%

---
File Name Metrics
FG Coverage  10%: 1
FG Coverage  20%: 1
FG Coverage  30%: 1
FG Coverage  40%: 1
FG Coverage  51%: 1
FG Coverage  60%: 1
FG Coverage  70%: 1
FG Coverage  80%: 1
FG Coverage  90%: 1
FG Coverage 100%: 1


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 0
1 FG  60%/shares: 0
1 FG  70%/shares: 0
1 FG  80%/shares: 0
1 FG  90%/shares: 0
1 FG 100%/shares: 0


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 0.50


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 0.50
All Descriptions Match: 1
ADAM
ADWS
AppCompat
apppatch
assembly
AUInstallAgent
Boot
Branding
CbsTemp
Cursors
debug
DesktopTileResources
diagnostics
DigitalLocker
Downloaded Program Files
drivers
en-US
Fonts
Globalization
Help
IME
Inf
L2Schemas
LiveKernelReports
Logs
media
Microsoft.NET
ModemLogs
NTDS
Offline Web Pages
Panther
PLA
PolicyDefinitions
Provisioning
Registration
RemotePackages
rescache
Resources
SchCache
schemas
security
ServiceProfiles
servicing
Setup
SoftwareDistribution
Speech
System
System32
SYSVOL
SysWOW64
TAPI
Tasks
Temp
ToastData
tracing
Vss
Web
WinSxS
bfsvc.exe
bootstat.dat
DtcInstall.log
explorer.exe
HelpPane.exe
hh.exe
mib.bin
PFRO.log
regedit.exe
ServerStandard.xml
ServerWeb.xml
setupact.log
setuperr.log
splwow64.exe
system.ini
vmgcoinstall.log
win.ini
WindowsUpdate.log
winhlp32.exe
write.exe
AppCompat
apppatch
assembly
AUInstallAgent
Boot
Branding
CbsTemp
Cursors
debug
DesktopTileResources
diagnostics
DigitalLocker
Downloaded Program Files
drivers
en-US
Fonts
Globalization
Help
IME
Inf
L2Schemas
LiveKernelReports
Logs
media
Microsoft.NET
ModemLogs
Offline Web Pages
Panther
PLA
PolicyDefinitions
Provisioning
Registration
RemotePackages
rescache
Resources
SchCache
schemas
security
ServiceProfiles
servicing
Setup
SoftwareDistribution
Speech
System
System32
SysWOW64
TAPI
Tasks
Temp
ToastData
tracing
Vss
Web
WinSxS
bfsvc.exe
bootstat.dat
DtcInstall.log
explorer.exe
HelpPane.exe
hh.exe
iis.log
mib.bin
PFRO.log
regedit.exe
ServerStandard.xml
ServerWeb.xml
setupact.log
setuperr.log
splwow64.exe
system.ini
vmgcoinstall.log
win.ini
WindowsUpdate.log
winhlp32.exe
write.exe
schemas 100% (2)
Temp 100% (2)
Tasks 100% (2)
TAPI 100% (2)
SysWOW64 100% (2)
win.ini 100% (2)
System32 100% (2)
ToastData 100% (2)
System 100% (2)
SoftwareDistribution 100% (2)
Setup 100% (2)
servicing 100% (2)
ServiceProfiles 100% (2)
security 100% (2)
write.exe 100% (2)
Speech 100% (2)
tracing 100% (2)
Vss 100% (2)
Web 100% (2)
splwow64.exe 100% (2)
setuperr.log 100% (2)
setupact.log 100% (2)
ServerWeb.xml 100% (2)
ServerStandard.xml 100% (2)
regedit.exe 100% (2)
PFRO.log 100% (2)
mib.bin 100% (2)
hh.exe 100% (2)
HelpPane.exe 100% (2)
explorer.exe 100% (2)
DtcInstall.log 100% (2)
bootstat.dat 100% (2)
bfsvc.exe 100% (2)
WinSxS 100% (2)
SchCache 100% (2)
Resources 100% (2)
rescache 100% (2)
RemotePackages 100% (2)
drivers 100% (2)
Downloaded Program Files 100% (2)
DigitalLocker 100% (2)
diagnostics 100% (2)
DesktopTileResources 100% (2)
debug 100% (2)
Cursors 100% (2)
CbsTemp 100% (2)
Branding 100% (2)
Boot 100% (2)
AUInstallAgent 100% (2)
assembly 100% (2)
apppatch 100% (2)
AppCompat 100% (2)
winhlp32.exe 100% (2)
en-US 100% (2)
system.ini 100% (2)
Fonts 100% (2)
Help 100% (2)
Registration 100% (2)
Provisioning 100% (2)
PolicyDefinitions 100% (2)
PLA 100% (2)
Panther 100% (2)
Offline Web Pages 100% (2)
WindowsUpdate.log 100% (2)
ModemLogs 100% (2)
Microsoft.NET 100% (2)
media 100% (2)
Logs 100% (2)
LiveKernelReports 100% (2)
L2Schemas 100% (2)
Inf 100% (2)
IME 100% (2)
Globalization 100% (2)
vmgcoinstall.log 100% (2)
system
bfsvc.exe
explorer.exe
helppane.exe
hh.exe
regedit.exe
splwow64.exe
winhlp32.exe
write.exe
program files
downloaded program files
\\demo.local\backup
Share Context Guess
None

LLM Application Guess
Unknown

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  07/26/2012
Last Created:  07/26/2012
Last Mod:  07/26/2012


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 0% (0)
Write: 100% (1)
Read: 100% (1)
Stale: 100% (1)
Empty: 100% (1)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 0%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 0
FG Coverage  20%: 0
FG Coverage  30%: 0
FG Coverage  40%: 0
FG Coverage  51%: 0
FG Coverage  60%: 0
FG Coverage  70%: 0
FG Coverage  80%: 0
FG Coverage  90%: 0
FG Coverage 100%: 0


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
\\demo.local\inetpub
Share Context Guess
The Inetpub may be associated with Internet Publishing. Directory for web server files (IIS) Standard directory for Internet Information Services (IIS). Referenced: https://docs.microsoft.com/en-us/iis/ C:\Inetpub\ is the expected local path.

LLM Application Guess
Unknown

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  07/26/2012
Last Created:  07/26/2012
Last Mod:  07/26/2012


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 100% (1)
Write: 100% (1)
Read: 100% (1)
Stale: 100% (1)
Empty: 100% (1)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 0%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 0
FG Coverage  20%: 0
FG Coverage  30%: 0
FG Coverage  40%: 0
FG Coverage  51%: 0
FG Coverage  60%: 0
FG Coverage  70%: 0
FG Coverage  80%: 0
FG Coverage  90%: 0
FG Coverage 100%: 0


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
\\demo.local\sccm
Share Context Guess
The SCCM may be associated with System Center Configuration Manager. Microsoft System Center Configuration Manager Directory used by Microsoft System Center Configuration Manager. Referenced: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/the-content-library C:\Program Files\Microsoft Configuration Manager\ is the expected local path.

LLM Application Guess
Unknown

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  07/26/2012
Last Created:  07/26/2012
Last Mod:  07/26/2012


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 0% (0)
Write: 100% (1)
Read: 100% (1)
Stale: 100% (1)
Empty: 100% (1)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 0%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 0
FG Coverage  20%: 0
FG Coverage  30%: 0
FG Coverage  40%: 0
FG Coverage  51%: 0
FG Coverage  60%: 0
FG Coverage  70%: 0
FG Coverage  80%: 0
FG Coverage  90%: 0
FG Coverage 100%: 0


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
\\demo.local\logs
Share Context Guess
None

LLM Application Guess
Unknown

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  07/26/2012
Last Created:  07/26/2012
Last Mod:  07/26/2012


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 0% (0)
Write: 100% (1)
Read: 100% (1)
Stale: 100% (1)
Empty: 100% (1)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 0%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 0
FG Coverage  20%: 0
FG Coverage  30%: 0
FG Coverage  40%: 0
FG Coverage  51%: 0
FG Coverage  60%: 0
FG Coverage  70%: 0
FG Coverage  80%: 0
FG Coverage  90%: 0
FG Coverage 100%: 0


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
\\demo.local\sql
Share Context Guess
None

LLM Application Guess
Unknown

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  07/26/2012
Last Created:  07/26/2012
Last Mod:  07/26/2012


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 0% (0)
Write: 100% (1)
Read: 100% (1)
Stale: 100% (1)
Empty: 100% (1)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 0%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 0
FG Coverage  20%: 0
FG Coverage  30%: 0
FG Coverage  40%: 0
FG Coverage  51%: 0
FG Coverage  60%: 0
FG Coverage  70%: 0
FG Coverage  80%: 0
FG Coverage  90%: 0
FG Coverage 100%: 0


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
\\demo.local\C
Share Context Guess
None

LLM Application Guess
Windows

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  07/26/2012
Last Created:  07/26/2012
Last Mod:  11/06/2024


Owners (1)
NT SERVICE\TrustedInstaller
Risk Summary
HE: 100% (1)
Write: 100% (1)
Read: 100% (1)
Stale: 100% (1)
Empty: 0% (0)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 100%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 1
FG Coverage  20%: 1
FG Coverage  30%: 1
FG Coverage  40%: 1
FG Coverage  51%: 1
FG Coverage  60%: 1
FG Coverage  70%: 1
FG Coverage  80%: 1
FG Coverage  90%: 1
FG Coverage 100%: 1


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
apps
backup
inetpub
logs
PerfLogs
Program Files
Program Files (x86)
sccm
sql
Users
Windows
wwwroot
apps 100% (1)
backup 100% (1)
inetpub 100% (1)
logs 100% (1)
PerfLogs 100% (1)
Program Files 100% (1)
Program Files (x86) 100% (1)
sccm 100% (1)
sql 100% (1)
Users 100% (1)
Windows 100% (1)
wwwroot 100% (1)
backup
program files
program files (x86)
\\demo.local\apps
Share Context Guess
None

LLM Application Guess
Unknown

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  07/26/2012
Last Created:  07/26/2012
Last Mod:  07/26/2012


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 0% (0)
Write: 100% (1)
Read: 100% (1)
Stale: 100% (1)
Empty: 100% (1)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 0%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 0
FG Coverage  20%: 0
FG Coverage  30%: 0
FG Coverage  40%: 0
FG Coverage  51%: 0
FG Coverage  60%: 0
FG Coverage  70%: 0
FG Coverage  80%: 0
FG Coverage  90%: 0
FG Coverage 100%: 0


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
\\demo.local\wwwroot
Share Context Guess
The wwwroot may be associated with Web Server Root. Root directory for web server files Root directory for web server files. Referenced: https://docs.microsoft.com/ C:\inetpub\wwwroot\ is the expected local path.

LLM Application Guess
Unknown

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  08/05/2020
Last Created:  08/05/2020
Last Mod:  08/05/2020


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 100% (1)
Write: 100% (1)
Read: 100% (1)
Stale: 100% (1)
Empty: 100% (1)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 0%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 0
FG Coverage  20%: 0
FG Coverage  30%: 0
FG Coverage  40%: 0
FG Coverage  51%: 0
FG Coverage  60%: 0
FG Coverage  70%: 0
FG Coverage  80%: 0
FG Coverage  90%: 0
FG Coverage 100%: 0


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
\\2012SERVERSCCM.demo.local\CtxSTShare
Share Context Guess
The CtxSTShare may be associated with Citrix Streaming Service Share. Used by Citrix Streaming Service for application delivery. The prefix 'Ctx' indicates Citrix-related shares. STShare might stand for Streaming Service Share. C:\ProgramData\Citrix\StreamingService is the expected local path.

LLM Application Guess
Citrix

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  10/27/1991
Last Created:  10/27/1991
Last Mod:  10/27/1991


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 0% (0)
Write: 100% (1)
Read: 100% (1)
Stale: 0% (0)
Empty: 0% (0)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 100%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 1
FG Coverage  20%: 1
FG Coverage  30%: 1
FG Coverage  40%: 1
FG Coverage  51%: 1
FG Coverage  60%: 1
FG Coverage  70%: 1
FG Coverage  80%: 1
FG Coverage  90%: 1
FG Coverage 100%: 1


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
testfile2.txt.txt
testfile2.txt.txt 100% (1)
\\2012SERVERSCCM.demo.local\files
Share Context Guess
None

LLM Application Guess
Unknown

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 4 of 127 (3.15%)


Timeline Context
First Created:  09/25/2024
Last Created:  09/25/2024
Last Mod:  10/07/2024


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 0% (0)
Write: 100% (1)
Read: 100% (1)
Stale: 0% (0)
Empty: 0% (0)
Default: No
Sensitive: 0
Secrets: 50
Final Score: : 100%
File Name Coverage: 100%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 1
FG Coverage  20%: 1
FG Coverage  30%: 1
FG Coverage  40%: 1
FG Coverage  51%: 1
FG Coverage  60%: 1
FG Coverage  70%: 1
FG Coverage  80%: 1
FG Coverage  90%: 1
FG Coverage 100%: 1


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
things
.fetchmailrc
.git-credentials
.htpasswd
.netrc
.pgpass
.remmina
app.config
bootstrap.ini
config.xml
context.xml
DataSources.xml
dbvis.xml
dbxdrivers.ini
Drives.xml
example.dtsx
example.rdp
Groups.xml
grub.cfg
grub.conf
jboss-cli.xml
krb5.conf
machine.config
my.cnf
my.key
php.ini
Printers.xml
private.crt
pureftpd.passwd
putty.reg
remmina.pref
running-config.txt
ScheduledTasks.xml
server.xml
Services.xml
setting.ini
shadow
SiteManager.xml
smb.conf
sssd.conf
standalone.xml
startup-config.txt
sysprep.inf
tnsnames.ora
tomcat-users.xml
unattend-base64.xml
unattend-cleartext.xml
variables.dat
vnc.ini
web.config
WinSCP.ini
wp-config.php
things 100% (1)
pureftpd.passwd 100% (1)
putty.reg 100% (1)
remmina.pref 100% (1)
running-config.txt 100% (1)
ScheduledTasks.xml 100% (1)
server.xml 100% (1)
Services.xml 100% (1)
setting.ini 100% (1)
shadow 100% (1)
SiteManager.xml 100% (1)
private.crt 100% (1)
smb.conf 100% (1)
standalone.xml 100% (1)
startup-config.txt 100% (1)
sysprep.inf 100% (1)
tnsnames.ora 100% (1)
tomcat-users.xml 100% (1)
unattend-base64.xml 100% (1)
unattend-cleartext.xml 100% (1)
variables.dat 100% (1)
vnc.ini 100% (1)
web.config 100% (1)
sssd.conf 100% (1)
Printers.xml 100% (1)
php.ini 100% (1)
my.key 100% (1)
.fetchmailrc 100% (1)
.git-credentials 100% (1)
.htpasswd 100% (1)
.netrc 100% (1)
.pgpass 100% (1)
.remmina 100% (1)
app.config 100% (1)
bootstrap.ini 100% (1)
config.xml 100% (1)
context.xml 100% (1)
DataSources.xml 100% (1)
dbvis.xml 100% (1)
dbxdrivers.ini 100% (1)
Drives.xml 100% (1)
example.dtsx 100% (1)
example.rdp 100% (1)
Groups.xml 100% (1)
grub.cfg 100% (1)
grub.conf 100% (1)
jboss-cli.xml 100% (1)
krb5.conf 100% (1)
machine.config 100% (1)
my.cnf 100% (1)
WinSCP.ini 100% (1)
wp-config.php 100% (1)
bootstrap.ini
context.xml
dbxdrivers.ini
pureftpd.passwd
config.xml
jboss-cli.xml
machine.config
startup-config.txt
running-config.txt
my.cnf
my.key
php.ini
putty.reg
server.xml
shadow
standalone.xml
tnsnames.ora
tomcat-users.xml
sitemanager.xml
variables.dat
setting.ini
winscp.ini
wp-config.php
app.config
web.config
example.dtsx
example.rdp
vnc.ini
scheduledtasks.xml
groups.xml
drives.xml
services.xml
printers.xml
unattend-base64.xml
unattend-cleartext.xml
sysprep.inf
private.crt
sssd.conf
smb.conf
krb5.conf
.htpasswd
.pgpass
grub.cfg
grub.conf
.fetchmailrc
.git-credentials
.netrc
dbvis.xml
remmina.pref
.remmina
\\2012SERVERSCCM.demo.local\REMINST
Share Context Guess
The REMINST may be associated with Remote Installation Services (RIS) / Windows Deployment Services (WDS). Microsoft service for remote installation and deployment Used by Microsoft's Remote Installation Services or Windows Deployment Services. Default path is C:\RemoteInstall. C:\RemoteInstall\ is the expected local path.

LLM Application Guess
Unknown

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  04/08/2014
Last Created:  04/08/2014
Last Mod:  04/08/2014


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 0% (0)
Write: 100% (1)
Read: 100% (1)
Stale: 100% (1)
Empty: 100% (1)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 0%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 0
FG Coverage  20%: 0
FG Coverage  30%: 0
FG Coverage  40%: 0
FG Coverage  51%: 0
FG Coverage  60%: 0
FG Coverage  70%: 0
FG Coverage  80%: 0
FG Coverage  90%: 0
FG Coverage 100%: 0


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
\\2012SERVERSCCM.demo.local\SophosUpdate
Share Context Guess
The SophosUpdate may be associated with Sophos Update. Directory for storing Sophos antivirus updates Used by Sophos antivirus for storing update files. Referenced: https://www.sophos.com/ C:\SophosUpdate\ is the expected local path.

LLM Application Guess
Sophos

View in ShareGraph

Affected Assets
Computers: 1 of 13 (7.69%)
Shares: 1 of 21 (4.76%)
ACLs: 3 of 127 (2.36%)


Timeline Context
First Created:  09/01/2001
Last Created:  09/01/2001
Last Mod:  09/01/2001


Owners (1)
BUILTIN\Administrators
Risk Summary
HE: 0% (0)
Write: 100% (1)
Read: 100% (1)
Stale: 100% (1)
Empty: 0% (0)
Default: No
Sensitive: 0
Secrets: 0
Final Score: : 100%
File Name Coverage: 100%
Folder Group Coverage: 100%
Share Property Coverage: 100%

---
File Name Metrics
FG Coverage  10%: 1
FG Coverage  20%: 1
FG Coverage  30%: 1
FG Coverage  40%: 1
FG Coverage  51%: 1
FG Coverage  60%: 1
FG Coverage  70%: 1
FG Coverage  80%: 1
FG Coverage  90%: 1
FG Coverage 100%: 1


Folder Group Metrics
1 FG  10%/shares: 1
1 FG  20%/shares: 1
1 FG  30%/shares: 1
1 FG  40%/shares: 1
1 FG  51%/shares: 1
1 FG  60%/shares: 1
1 FG  70%/shares: 1
1 FG  80%/shares: 1
1 FG  90%/shares: 1
1 FG 100%/shares: 1


Share Property Metrics
Same Share Name: 1
folder Group/Owner Ratio Average: 1.00
Creation Date/Share Ratio: 1.00
Last Modification Date/Share Ratio: 1.00


Experimental Metrics
Share Owner Ratio: 1.00
File Group/Name Ratio: 1.00
All Descriptions Match: 0
testfile.txt.txt
testfile.txt.txt 100% (1)

Networks

This section provides an overview of the affected networks. 1 networks/subnets were found associated with computers that host shares that are configured with excessive privileges.

Affected Networks
1  
Loading...
Export   | Clear
SubnetDescCreatedSiteACEsReadACEsWriteACEsExploitableACEsSharesComputers
192.168.40.047191419162

Share Owners

This section lists the most common share owners.
Share Count Owner Affected Computers Affected Shares Affected ACLs
11 BUILTIN\Administrators 15.38% (2 of 13)
 52.38% (11 of 21)
 26.77% (34 of 127)
5 NT SERVICE\TrustedInstaller 15.38% (2 of 13)
 23.81% (5 of 21)
 10.24% (13 of 127)

Folder Groups

Folder groups are SMB shares that contain the exact same file listing. Each folder group has been hashed so they can be quickly correlated. In some cases, shares with the exact same file listing may be related to a single application or process. This information can help identify the root cause associated with the excessive privileges and expedite remediation. Note: Application fingerprints were generated using an experimental version of the LLM-based application fingerprinting function. As a result, some application classifications may not be accurate.

Affected Folder Groups
8  
Loading...
Export   | Clear
Unique Share Names Share Count File Count Risk Level Folder Group Related App
backup
inetpub
sccm
logs
sql
apps
wwwroot
REMINST
\\demo.local\backup
\\demo.local\inetpub
\\demo.local\sccm
\\demo.local\logs
\\demo.local\sql
\\demo.local\apps
\\demo.local\wwwroot
\\2012SERVERSCCM.demo.local\REMINST
21 Critical d41d8cd98f00b204e9800998ecf8427e
C$
C
\\demo.local\C$
\\demo.local\C
apps
backup
inetpub
logs
PerfLogs
Program Files
Program Files (x86)
sccm
sql
Users
Windows
wwwroot
22 Critical 003fe65715d4b71b68e7e42d2cbfd11f
The share name "C$" is commonly associated with the Windows operating system's default administrative share. The presence of directories such as "Program Files", "Windows", "Users", and "inetpub" strongly indicates that this is a Windows operating system. More information can be found at https://www.microsoft.com/en-us/windows
files
\\2012SERVERSCCM.demo.local\files
things
.fetchmailrc
.git-credentials
.htpasswd
.netrc
.pgpass
.remmina
app.config
bootstrap.ini
config.xml
context.xml
DataSources.xml
dbvis.xml
dbxdrivers.ini
Drives.xml
example.dtsx
example.rdp
Groups.xml
grub.cfg
grub.conf
jboss-cli.xml
krb5.conf
machine.config
my.cnf
my.key
php.ini
Printers.xml
private.crt
pureftpd.passwd
putty.reg
remmina.pref
running-config.txt
ScheduledTasks.xml
server.xml
Services.xml
setting.ini
shadow
SiteManager.xml
smb.conf
sssd.conf
standalone.xml
startup-config.txt
sysprep.inf
tnsnames.ora
tomcat-users.xml
unattend-base64.xml
unattend-cleartext.xml
variables.dat
vnc.ini
web.config
WinSCP.ini
wp-config.php
8 Medium 608fe6cb11c8dd935745fdfbce83c5be
C$
\\2012SERVERSCCM.demo.local\C$
CTXProfiles
CtxSTShare
files
inetpub
PerfLogs
Program Files
Program Files (x86)
REMINST
SophosUpdate
Users
Windows
en_sql_server_2014_developer_edition_x64_dvd_3940406.iso
mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso
sccm-key.txt
24 Critical f910ff7451dc52f16511bc1858288a7b
The share name "C$" is commonly associated with system drives on Windows operating systems. The presence of files like "mu_system_center_2012_r2_configuration_manager_x86_and_x64_dvd_2926949.iso" and "sccm-key.txt" strongly indicates the use of Microsoft System Center Configuration Manager, which aligns with the share name and the file context. For more information, visit https://www.microsoft.com/en-us/download/details.aspx?id=34607.
CtxSTShare
\\2012SERVERSCCM.demo.local\CtxSTShare
testfile2.txt.txt
5 Medium 30b6dc96e3419e712c67cadaaa881ac6
The share name 'CtxSTShare' suggests a relation to Citrix, a known application. The file names alone are not strongly indicative, but the share name provides a high confidence match. For more information, visit: https://www.citrix.com/
SophosUpdate
\\2012SERVERSCCM.demo.local\SophosUpdate
testfile.txt.txt
4 Low 47b0b36ca438303cfe7082a5ac09d719
The share name 'SophosUpdate' directly indicates a connection to Sophos, a well-known cybersecurity company. Although the file name 'testfile.txt.txt' is generic, the strong association with the share name provides a high confidence in identifying the application as Sophos. For more information, visit https://www.sophos.com.
ADMIN$
\\demo.local\ADMIN$
ADAM
ADWS
AppCompat
apppatch
assembly
AUInstallAgent
Boot
Branding
CbsTemp
Cursors
debug
DesktopTileResources
diagnostics
DigitalLocker
Downloaded Program Files
drivers
en-US
Fonts
Globalization
Help
IME
Inf
L2Schemas
LiveKernelReports
Logs
media
Microsoft.NET
ModemLogs
NTDS
Offline Web Pages
Panther
PLA
PolicyDefinitions
Provisioning
Registration
RemotePackages
rescache
Resources
SchCache
schemas
security
ServiceProfiles
servicing
Setup
SoftwareDistribution
Speech
System
System32
SYSVOL
SysWOW64
TAPI
Tasks
Temp
ToastData
tracing
Vss
Web
WinSxS
bfsvc.exe
bootstat.dat
DtcInstall.log
explorer.exe
HelpPane.exe
hh.exe
mib.bin
PFRO.log
regedit.exe
ServerStandard.xml
ServerWeb.xml
setupact.log
setuperr.log
splwow64.exe
system.ini
vmgcoinstall.log
win.ini
WindowsUpdate.log
winhlp32.exe
write.exe
20 Critical 16c18b433687bed2b033f40cf56229e5
The share name "ADMIN$" is a default administrative share in Microsoft Windows Operating System. The file names such as "explorer.exe", "regedit.exe", "setupact.log", "setuperr.log", and "ServerStandard.xml" are commonly associated with the Windows OS. For more information, visit https://www.microsoft.com/en-us/windows
ADMIN$
\\2012SERVERSCCM.demo.local\ADMIN$
AppCompat
apppatch
assembly
AUInstallAgent
Boot
Branding
CbsTemp
Cursors
debug
DesktopTileResources
diagnostics
DigitalLocker
Downloaded Program Files
drivers
en-US
Fonts
Globalization
Help
IME
Inf
L2Schemas
LiveKernelReports
Logs
media
Microsoft.NET
ModemLogs
Offline Web Pages
Panther
PLA
PolicyDefinitions
Provisioning
Registration
RemotePackages
rescache
Resources
SchCache
schemas
security
ServiceProfiles
servicing
Setup
SoftwareDistribution
Speech
System
System32
SysWOW64
TAPI
Tasks
Temp
ToastData
tracing
Vss
Web
WinSxS
bfsvc.exe
bootstat.dat
DtcInstall.log
explorer.exe
HelpPane.exe
hh.exe
iis.log
mib.bin
PFRO.log
regedit.exe
ServerStandard.xml
ServerWeb.xml
setupact.log
setuperr.log
splwow64.exe
system.ini
vmgcoinstall.log
win.ini
WindowsUpdate.log
winhlp32.exe
write.exe
20 Critical 526419fbc5b1d0c1274573fa97986a32
The share name "ADMIN$" is typically associated with administrative shares in Microsoft Windows. File names like "System32", "drivers", "Microsoft.NET", "Boot", and "Fonts" are indicative of a Windows operating system. For more information, visit: https://www.microsoft.com/en-us/windows

Extracted Secrets

This section includes a list of the credentials that were recovered during data collection. 143 credentials were recovered from 50 of the discovered 53 secrets files.

Extracted Secrets Found
143  
Loading...
Export   | Clear
ComputerName ShareName FileName FilePath Username Password PasswordEnc KeyfilePath Details
2012SERVERSCCM.demo.local files bootstrap.ini \\2012SERVERSCCM.demo.local\files\bootstrap.ini adminUser P@ssw0rd123 NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files bootstrap.ini \\2012SERVERSCCM.demo.local\files\bootstrap.ini NA public NA NA
Section: NA
Object Name: Public
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files bootstrap.ini \\2012SERVERSCCM.demo.local\files\bootstrap.ini NA mysecret NA NA
Section: NA
Object Name: Private
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files bootstrap.ini \\2012SERVERSCCM.demo.local\files\bootstrap.ini NA mysecret NA NA
Section: NA
Object Name: Secret
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files bootstrap.ini \\2012SERVERSCCM.demo.local\files\bootstrap.ini NA mykey NA NA
Section: NA
Object Name: Key
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files context.xml \\2012SERVERSCCM.demo.local\files\context.xml dbuser dbpassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini user password NA NA
Section: DB2
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini sysdba masterkey NA NA
Section: Interbase
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini user password NA NA
Section: Oracle
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini user password NA NA
Section: Informix
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini user password NA NA
Section: MSSQL
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini SYSDBA masterkey NA NA
Section: UIB Interbase6
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini SYSDBA masterkey NA NA
Section: UIB Interbase65
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini SYSDBA masterkey NA NA
Section: UIB Interbase7
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini SYSDBA masterkey NA NA
Section: UIB Interbase71
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini SYSDBA masterkey NA NA
Section: UIB FireBird102
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini SYSDBA masterkey NA NA
Section: UIB FireBird103
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini SYSDBA masterkey NA NA
Section: UIB FireBird15
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbxdrivers.ini \\2012SERVERSCCM.demo.local\files\dbxdrivers.ini SYSDBA masterkey NA NA
Section: UIB Yaffil
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files pureftpd.passwd \\2012SERVERSCCM.demo.local\files\pureftpd.passwd username NA $1$X9p2ER8W$M7P5CxX5CHPxuAiB5BBJq/ NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files pureftpd.passwd \\2012SERVERSCCM.demo.local\files\pureftpd.passwd user2 NA $1$XYz3ERzW$G9P7CxF6CPxxuAiB6BBJq/ NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files config.xml \\2012SERVERSCCM.demo.local\files\config.xml John Doe #jbcrypt:$2a$10$D6wVozrLhk.TIq.jBBKZluIh/EqzpjCUJFT/mWUnyAO4EYmxk5.aK NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files jboss-cli.xml \\2012SERVERSCCM.demo.local\files\jboss-cli.xml admin password NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config myAppUser myAppPassword NA
Section: AppSettings
Object Name: Application
Target URL:
Target Server:
Target Port:
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config myClientId myClientSecret NA
Section: AppSettings
Object Name: OAuth
Target URL: https://oauth.example.com/token
Target Server:
Target Port:
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config serviceUser servicePassword NA
Section: AppSettings
Object Name: WebClient
Target URL: https://service.example.com/api
Target Server:
Target Port:
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config apiUser apiPassword NA
Section: AppSettings
Object Name: API
Target URL: https://api.example.com/endpoint
Target Server:
Target Port:
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config customUser customPassword NA
Section: ServiceCredentials
Object Name: CustomService
Target URL: https://customservice.example.com
Target Server:
Target Port:
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config myUser myPass NA
Section: ConnectionStrings (System.Data.SqlClient)
Object Name: SqlServerConnection
Target URL: Server=localhost
Target Server: localhost
Target Port:
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config myUser myPass NA
Section: ConnectionStrings (System.Data.SqlClient)
Object Name: SqlServerEncryptedConnection
Target URL: Server=localhost
Target Server: localhost
Target Port:
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config myUser myPass NA
Section: ConnectionStrings (Npgsql)
Object Name: PostgreSqlConnection
Target URL: Host=localhost;Port=5432
Target Server: localhost
Target Port: 5432
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config oracleUser oraclePass NA
Section: ConnectionStrings (System.Data.OracleClient)
Object Name: OracleConnection
Target URL: Server=MyOracleDB
Target Server: MyOracleDB
Target Port:
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config oracleUser oraclePass NA
Section: ConnectionStrings (Oracle.ManagedDataAccess.Client)
Object Name: OracleTNSConnection
Target URL: Server=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myHost)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=myService)))
Target Server: (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myHost)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=myService)))
Target Port:
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config admin myPass NA
Section: ConnectionStrings (System.Data.OleDb)
Object Name: AccessConnection
Target URL: Server=C:\myAccessFile.accdb
Target Server: C:\myAccessFile.accdb
Target Port:
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config myUser myPass NA
Section: ConnectionStrings (System.Data.SqlClient)
Object Name: AzureSqlConnection
Target URL: Server=tcp:myserver.database.windows.net
Target Server: tcp:myserver.database.windows.net
Target Port: 1433
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config smtpUser smtpPassword NA
Section: SMTP
Object Name: SMTP Configuration
Target URL: smtp://smtp.example.com:587
Target Server: smtp.example.com
Target Port: 587
Database:
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config myUser myPass NA NA
Section: ConnectionStrings (System.Data.SqlClient)
Object Name: SqlServerConnection
Target URL: Server=localhost
Target Server: localhost
Target Port:
Database: localhost
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config myUser myPass NA NA
Section: ConnectionStrings (System.Data.SqlClient)
Object Name: SqlServerEncryptedConnection
Target URL: Server=localhost
Target Server: localhost
Target Port:
Database: localhost
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config myUser myPass NA NA
Section: ConnectionStrings (Npgsql)
Object Name: PostgreSqlConnection
Target URL: Host=localhost;Port=5432
Target Server: localhost
Target Port: 5432
Database: myDB
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config oracleUser oraclePass NA NA
Section: ConnectionStrings (System.Data.OracleClient)
Object Name: OracleConnection
Target URL: Server=MyOracleDB
Target Server: MyOracleDB
Target Port:
Database: MyOracleDB
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config oracleUser oraclePass NA NA
Section: ConnectionStrings (Oracle.ManagedDataAccess.Client)
Object Name: OracleTNSConnection
Target URL: Server=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myHost)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=myService)))
Target Server: (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myHost)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=myService)))
Target Port:
Database: (DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCP)(HOST=myHost)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=myService)))
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config admin myPass NA NA
Section: ConnectionStrings (System.Data.OleDb)
Object Name: AccessConnection
Target URL: Server=C:\myAccessFile.accdb
Target Server: C:\myAccessFile.accdb
Target Port:
Database: C:\myAccessFile.accdb
Domain:
2012SERVERSCCM.demo.local files machine.config \\2012SERVERSCCM.demo.local\files\machine.config myUser myPass NA NA
Section: ConnectionStrings (System.Data.SqlClient)
Object Name: AzureSqlConnection
Target URL: Server=tcp:myserver.database.windows.net
Target Server: tcp:myserver.database.windows.net
Target Port: 1433
Database: myDB
Domain:
2012SERVERSCCM.demo.local files startup-config.txt \\2012SERVERSCCM.demo.local\files\startup-config.txt NA NA $1$DkGh$XSdDk6LdoqM0eO67V0lJ71 NA
Section: NA
Object Name: EnableSecret (MD5 Encrypted)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files startup-config.txt \\2012SERVERSCCM.demo.local\files\startup-config.txt NA mycleartextpassword NA NA
Section: NA
Object Name: Password (Cleartext)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files startup-config.txt \\2012SERVERSCCM.demo.local\files\startup-config.txt NA cleartext123 NA NA
Section: NA
Object Name: Password (Cleartext)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files startup-config.txt \\2012SERVERSCCM.demo.local\files\startup-config.txt NA moretype7pw 12140A05171F15142F7C343F NA
Section: NA
Object Name: Password (Type 7 Decrypted)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files startup-config.txt \\2012SERVERSCCM.demo.local\files\startup-config.txt secureadmin NA $1$lpb1$kGc1R/tGbT6aYZEXw5lqa0 NA
Section: NA
Object Name: Username Password (MD5 Encrypted)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files startup-config.txt \\2012SERVERSCCM.demo.local\files\startup-config.txt NA public NA NA
Section: NA
Object Name: SNMP Community String (RO)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files startup-config.txt \\2012SERVERSCCM.demo.local\files\startup-config.txt NA private NA NA
Section: NA
Object Name: SNMP Community String (RW)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files startup-config.txt \\2012SERVERSCCM.demo.local\files\startup-config.txt NA consolepassword123 NA NA
Section: NA
Object Name: Password (Cleartext)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files startup-config.txt \\2012SERVERSCCM.demo.local\files\startup-config.txt NA ciscotype7clear 02050D4808091B385C4B5E1A09121319 NA
Section: NA
Object Name: Password (Type 7 Decrypted)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files startup-config.txt \\2012SERVERSCCM.demo.local\files\startup-config.txt NA cleartextkeywifipassword NA NA
Section: NA
Object Name: Wi-Fi WPA Pre-Shared Key (Cleartext)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files running-config.txt \\2012SERVERSCCM.demo.local\files\running-config.txt NA NA $1$DkGh$XSdDk6LdoqM0eO67V0lJ71 NA
Section: NA
Object Name: EnableSecret (MD5 Encrypted)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files running-config.txt \\2012SERVERSCCM.demo.local\files\running-config.txt NA mycleartextpassword NA NA
Section: NA
Object Name: Password (Cleartext)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files running-config.txt \\2012SERVERSCCM.demo.local\files\running-config.txt NA cleartext123 NA NA
Section: NA
Object Name: Password (Cleartext)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files running-config.txt \\2012SERVERSCCM.demo.local\files\running-config.txt NA moretype7pw 12140A05171F15142F7C343F NA
Section: NA
Object Name: Password (Type 7 Decrypted)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files running-config.txt \\2012SERVERSCCM.demo.local\files\running-config.txt secureadmin NA $1$lpb1$kGc1R/tGbT6aYZEXw5lqa0 NA
Section: NA
Object Name: Username Password (MD5 Encrypted)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files running-config.txt \\2012SERVERSCCM.demo.local\files\running-config.txt NA public NA NA
Section: NA
Object Name: SNMP Community String (RO)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files running-config.txt \\2012SERVERSCCM.demo.local\files\running-config.txt NA private NA NA
Section: NA
Object Name: SNMP Community String (RW)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files running-config.txt \\2012SERVERSCCM.demo.local\files\running-config.txt NA consolepassword123 NA NA
Section: NA
Object Name: Password (Cleartext)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files running-config.txt \\2012SERVERSCCM.demo.local\files\running-config.txt NA ciscotype7clear 02050D4808091B385C4B5E1A09121319 NA
Section: NA
Object Name: Password (Type 7 Decrypted)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files running-config.txt \\2012SERVERSCCM.demo.local\files\running-config.txt NA cleartextkeywifipassword NA NA
Section: NA
Object Name: Wi-Fi WPA Pre-Shared Key (Cleartext)
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files my.cnf \\2012SERVERSCCM.demo.local\files\my.cnf yourusername yourpassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files my.key \\2012SERVERSCCM.demo.local\files\my.key NA NA NA C:\temp\SmbShareHunt-11072024080834\Results\Secrets\2012SERVERSCCM.demo.local\files\my.key
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files php.ini \\2012SERVERSCCM.demo.local\files\php.ini dbuser P@ssw0rd123 NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files putty.reg \\2012SERVERSCCM.demo.local\files\putty.reg NA NA
Section: Default%20Settings
Object Name: NA
Target URL: NA
Target Server:
Target Port: 22
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files putty.reg \\2012SERVERSCCM.demo.local\files\putty.reg myusername NA NA C:\\Users\\YourUsername\\.ssh\\id_rsa.ppk
Section: My%20SSH%20Session
Object Name: NA
Target URL: NA
Target Server: 192.168.1.100
Target Port: 22
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files server.xml \\2012SERVERSCCM.demo.local\files\server.xml adminuser adminpwd NA NA
Section: basicRegistry
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files server.xml \\2012SERVERSCCM.demo.local\files\server.xml reader readerpwd NA NA
Section: basicRegistry
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files server.xml \\2012SERVERSCCM.demo.local\files\server.xml user userpwd NA NA
Section: basicRegistry
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files server.xml \\2012SERVERSCCM.demo.local\files\server.xml dbuser dbpass NA NA
Section: variable
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files server.xml \\2012SERVERSCCM.demo.local\files\server.xml dbuser {xor}Oz0vPiws NA NA
Section: containerAuthData
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files server.xml \\2012SERVERSCCM.demo.local\files\server.xml NA NA
Section: containerAuthData
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files server.xml \\2012SERVERSCCM.demo.local\files\server.xml dbuser dbpass NA NA
Section: authData
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files server.xml \\2012SERVERSCCM.demo.local\files\server.xml dbuser wrong_password NA NA
Section: authData
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files shadow \\2012SERVERSCCM.demo.local\files\shadow root NA $6$examplehash$E5iNRLtC5/j/kCkRhYlOro.Y9PzE0Gv8jlsfLZUNwlEm7HMBZSO9.mUvefOrKT6BjKSO4obQ.EtCZKhQgmgwV0 NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files shadow \\2012SERVERSCCM.demo.local\files\shadow user1 NA $6$examplehash$OwhxlyS5hoxfFE4tmtyOR8Hw1k8PLqokP9FYxYP8QMG3wO0u.0Xvd4g/0Udr6BQZilJk4k7XwlxJ6p0RJ2IL5/ NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files shadow \\2012SERVERSCCM.demo.local\files\shadow nobody NA * NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files shadow \\2012SERVERSCCM.demo.local\files\shadow daemon NA * NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files standalone.xml \\2012SERVERSCCM.demo.local\files\standalone.xml ${VAULT::vault::mydbuser} ${VAULT::vault::mydbpassword} NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: localhost
Target Port: 3306
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files standalone.xml \\2012SERVERSCCM.demo.local\files\standalone.xml Keystore password NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files tnsnames.ora \\2012SERVERSCCM.demo.local\files\tnsnames.ora myusername mypassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: MYDB
Domain: NA
2012SERVERSCCM.demo.local files tnsnames.ora \\2012SERVERSCCM.demo.local\files\tnsnames.ora anotheruser anotherpassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: MYDB_ALIAS
Domain: NA
2012SERVERSCCM.demo.local files tomcat-users.xml \\2012SERVERSCCM.demo.local\files\tomcat-users.xml admin admin NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files sitemanager.xml \\2012SERVERSCCM.demo.local\files\sitemanager.xml username HelloPassword SGVsbG9QYXNzd29yZA== NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: ftp.example.com
Target Port: 21
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files sitemanager.xml \\2012SERVERSCCM.demo.local\files\sitemanager.xml sftpuser HelloPassword SGVsbG9QYXNzd29yZA== NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: sftp.example.com
Target Port: 22
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files setting.ini \\2012SERVERSCCM.demo.local\files\setting.ini dbuser dbpass NA NA
Section: DatabaseSettings
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files setting.ini \\2012SERVERSCCM.demo.local\files\setting.ini myuser mypass NA NA
Section: CustomSettings
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files winscp.ini \\2012SERVERSCCM.demo.local\files\winscp.ini myuser 0V5aNH+/kT8= ; Encrypted password NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: ftp.example.com
Target Port: 21
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files wp-config.php \\2012SERVERSCCM.demo.local\files\wp-config.php your_database_username your_secure_password_here NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files app.config \\2012SERVERSCCM.demo.local\files\app.config myUser myPass NA NA
Section: ConnectionStrings (System.Data.SqlClient)
Object Name: SqlServerConnection
Target URL: Server=localhost
Target Server: localhost
Target Port:
Database: localhost
Domain:
2012SERVERSCCM.demo.local files app.config \\2012SERVERSCCM.demo.local\files\app.config myUser myPass NA NA
Section: ConnectionStrings (Npgsql)
Object Name: PostgreSqlConnection
Target URL: Host=localhost;Port=5432
Target Server: localhost
Target Port: 5432
Database: myDB
Domain:
2012SERVERSCCM.demo.local files app.config \\2012SERVERSCCM.demo.local\files\app.config oracleUser oraclePass NA NA
Section: ConnectionStrings (Oracle.ManagedDataAccess.Client)
Object Name: OracleConnection
Target URL: Server=MyOracleDB
Target Server: MyOracleDB
Target Port:
Database: MyOracleDB
Domain:
2012SERVERSCCM.demo.local files web.config \\2012SERVERSCCM.demo.local\files\web.config myUser myPass NA NA
Section: ConnectionStrings (System.Data.SqlClient)
Object Name: SqlServerConnection
Target URL: Server=localhost
Target Server: localhost
Target Port:
Database: localhost
Domain:
2012SERVERSCCM.demo.local files web.config \\2012SERVERSCCM.demo.local\files\web.config myUser myPass NA NA
Section: ConnectionStrings (Npgsql)
Object Name: PostgreSqlConnection
Target URL: Host=localhost;Port=5432
Target Server: localhost
Target Port: 5432
Database: myDB
Domain:
2012SERVERSCCM.demo.local files web.config \\2012SERVERSCCM.demo.local\files\web.config oracleUser oraclePass NA NA
Section: ConnectionStrings (Oracle.ManagedDataAccess.Client)
Object Name: OracleConnection
Target URL: Server=MyOracleDB
Target Server: MyOracleDB
Target Port:
Database: MyOracleDB
Domain:
2012SERVERSCCM.demo.local files example.dtsx \\2012SERVERSCCM.demo.local\files\example.dtsx dbuser1 dbpassword1 NA NA
Section: Database
Object Name: NA
Target URL: NA
Target Server: dbserver1
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files example.dtsx \\2012SERVERSCCM.demo.local\files\example.dtsx dbuser2 dbpassword2 NA NA
Section: Database
Object Name: NA
Target URL: NA
Target Server: dbserver2
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files example.dtsx \\2012SERVERSCCM.demo.local\files\example.dtsx ftpuser ftppassword NA NA
Section: FTP
Object Name: NA
Target URL: NA
Target Server: ftpserver.com
Target Port: 21
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files example.dtsx \\2012SERVERSCCM.demo.local\files\example.dtsx smtpuser smtppassword NA NA
Section: SMTP
Object Name: NA
Target URL: NA
Target Server: smtp.mailserver.com
Target Port: 25
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files example.rdp \\2012SERVERSCCM.demo.local\files\example.rdp YourUsername Unable to decrypt; must run on target system encrypted_password_value NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files vnc.ini \\2012SERVERSCCM.demo.local\files\vnc.ini NA hellothe 01d47b4186dfa5a3 NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files scheduledtasks.xml \\2012SERVERSCCM.demo.local\files\scheduledtasks.xml MyAwesomePassword! 5gn5fUqMaeGJkLEPgl3iH9UfLATVxRAHE8GvAvekwnicLYf2Pynj7ifihvajBRA3 NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain:
2012SERVERSCCM.demo.local files groups.xml \\2012SERVERSCCM.demo.local\files\groups.xml example.com\IT_Dept MyAwesomePassword! 5gn5fUqMaeGJkLEPgl3iH9UfLATVxRAHE8GvAvekwnicLYf2Pynj7ifihvajBRA3 NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain:
2012SERVERSCCM.demo.local files drives.xml \\2012SERVERSCCM.demo.local\files\drives.xml test MyAwesomePassword! 5gn5fUqMaeGJkLEPgl3iH9UfLATVxRAHE8GvAvekwnicLYf2Pynj7ifihvajBRA3 NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain:
2012SERVERSCCM.demo.local files services.xml \\2012SERVERSCCM.demo.local\files\services.xml LocalSystem MyAwesomePassword! 5gn5fUqMaeGJkLEPgl3iH9UfLATVxRAHE8GvAvekwnicLYf2Pynj7ifihvajBRA3 NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain:
2012SERVERSCCM.demo.local files printers.xml \\2012SERVERSCCM.demo.local\files\printers.xml MyAwesomePassword! 5gn5fUqMaeGJkLEPgl3iH9UfLATVxRAHE8GvAvekwnicLYf2Pynj7ifihvajBRA3 NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain:
2012SERVERSCCM.demo.local files unattend-base64.xml \\2012SERVERSCCM.demo.local\files\unattend-base64.xml LocalAdmin P@ssword123! NA NA
Section: AutoLogon
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files unattend-base64.xml \\2012SERVERSCCM.demo.local\files\unattend-base64.xml LocalAdmin P@ssword123! NA NA
Section: LocalAccount
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files unattend-cleartext.xml \\2012SERVERSCCM.demo.local\files\unattend-cleartext.xml LocalAdmin P@ssword NA NA
Section: AutoLogon
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files unattend-cleartext.xml \\2012SERVERSCCM.demo.local\files\unattend-cleartext.xml LocalAdmin P@ssword NA NA
Section: LocalAccount
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files sysprep.inf \\2012SERVERSCCM.demo.local\files\sysprep.inf YourDomainAdmin YourDomainAdminPassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: YourDomain
2012SERVERSCCM.demo.local files sysprep.inf \\2012SERVERSCCM.demo.local\files\sysprep.inf Administrator YourAdminPassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: localhost
2012SERVERSCCM.demo.local files private.crt \\2012SERVERSCCM.demo.local\files\private.crt NA NA NA C:\temp\SmbShareHunt-11072024080834\Results\Secrets\2012SERVERSCCM.demo.local\files\private.crt
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files sssd.conf \\2012SERVERSCCM.demo.local\files\sssd.conf cn=admin,cn=users,dc=example,dc=com P@ssw0rd123 NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: ad.example.com
Target Port: NA
Database: NA
Domain: example.com
2012SERVERSCCM.demo.local files smb.conf \\2012SERVERSCCM.demo.local\files\smb.conf ad-admin P@ssw0rd123 NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files krb5.conf \\2012SERVERSCCM.demo.local\files\krb5.conf admin@EXAMPLE.COM P@ssw0rd123 NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: ad.example.com
Target Port: NA
Database: NA
Domain: EXAMPLE.COM
2012SERVERSCCM.demo.local files .htpasswd \\2012SERVERSCCM.demo.local\files\.htpasswd user1 NA $apr1$5lRQ1y3v$pmOQf9/fNVE5dTtQDBl9D1 NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .htpasswd \\2012SERVERSCCM.demo.local\files\.htpasswd user2 NA $apr1$Jd9UE91p$J/H8G9HSvj5l8LKQ2qfd3. NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .htpasswd \\2012SERVERSCCM.demo.local\files\.htpasswd admin NA $apr1$GZJoqjNF$wl8IjDhZC84z5Bb4wHOv50 NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .pgpass \\2012SERVERSCCM.demo.local\files\.pgpass myuser mypassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: localhost
Target Port: 5432
Database: mydatabase
Domain: NA
2012SERVERSCCM.demo.local files .pgpass \\2012SERVERSCCM.demo.local\files\.pgpass anotheruser anotherpassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: remote.server.com
Target Port: 5432
Database: anotherdb
Domain: NA
2012SERVERSCCM.demo.local files .pgpass \\2012SERVERSCCM.demo.local\files\.pgpass defaultuser defaultpassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: localhost
Target Port: *
Database: *
Domain: NA
2012SERVERSCCM.demo.local files .pgpass \\2012SERVERSCCM.demo.local\files\.pgpass * supersecretpassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: localhost
Target Port: *
Database: *
Domain: NA
2012SERVERSCCM.demo.local files grub.cfg \\2012SERVERSCCM.demo.local\files\grub.cfg admin myplaintextpassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files grub.conf \\2012SERVERSCCM.demo.local\files\grub.conf admin myplaintextpassword NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .fetchmailrc \\2012SERVERSCCM.demo.local\files\.fetchmailrc user1@example.com password1 NA NA
Section: IMAP
Object Name: NA
Target URL: NA
Target Server: mail.example.com
Target Port: 993
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .fetchmailrc \\2012SERVERSCCM.demo.local\files\.fetchmailrc user2@anotherexample.com password2 NA NA
Section: POP3
Object Name: NA
Target URL: NA
Target Server: mail.anotherexample.com
Target Port: 995
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .fetchmailrc \\2012SERVERSCCM.demo.local\files\.fetchmailrc forwarduser@forwardexample.com forwardpassword NA NA
Section: IMAP
Object Name: NA
Target URL: NA
Target Server: mail.forwardexample.com
Target Port: 993
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .fetchmailrc \\2012SERVERSCCM.demo.local\files\.fetchmailrc plainuser@plainexample.com plainpassword NA NA
Section: POP3
Object Name: NA
Target URL: NA
Target Server: plainexample.com
Target Port: 110
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .git-credentials \\2012SERVERSCCM.demo.local\files\.git-credentials username1 ghp_token1example NA NA
Section: NA
Object Name: NA
Target URL: github.com
Target Server: github.com
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .git-credentials \\2012SERVERSCCM.demo.local\files\.git-credentials username2 ghp_token2example NA NA
Section: NA
Object Name: NA
Target URL: bitbucket.org
Target Server: bitbucket.org
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .git-credentials \\2012SERVERSCCM.demo.local\files\.git-credentials my-gitlab-username glpat_token3example NA NA
Section: NA
Object Name: NA
Target URL: gitlab.com
Target Server: gitlab.com
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .git-credentials \\2012SERVERSCCM.demo.local\files\.git-credentials username4 ghp_token4example NA NA
Section: NA
Object Name: NA
Target URL: company-git.example.com
Target Server: company-git.example.com
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .netrc \\2012SERVERSCCM.demo.local\files\.netrc exampleuser examplepass NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: example.com
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .netrc \\2012SERVERSCCM.demo.local\files\.netrc anotheruser anotherpass NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: another-site.com
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .netrc \\2012SERVERSCCM.demo.local\files\.netrc ftpuser ftppass NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: ftp.myserver.com
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .netrc \\2012SERVERSCCM.demo.local\files\.netrc defaultuser defaultpass NA NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: account-required.com
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files dbvis.xml \\2012SERVERSCCM.demo.local\files\dbvis.xml db_user mydbvispasswordinclr +mQwYxIFaEjZ/MWJDkm1SCWhHw7xPXWd NA
Section: NA
Object Name: NA
Target URL: NA
Target Server: localhost
Target Port: 3306
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files remmina.pref \\2012SERVERSCCM.demo.local\files\remmina.pref NA NA A123kgXlYRiCAdDcbFsE8SAoCGUanspg123= NA
Section: remmina_pref
Object Name: Remmina Configuration
Target URL: NA
Target Server: NA
Target Port: NA
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .remmina \\2012SERVERSCCM.demo.local\files\.remmina myusername mysecretpassword NA NA
Section: NA
Object Name: VNC
Target URL: NA
Target Server: 192.168.1.10
Target Port: 5500
Database: NA
Domain: NA
2012SERVERSCCM.demo.local files .remmina \\2012SERVERSCCM.demo.local\files\.remmina sshuser NA NA /home/user/.ssh/id_rsa
Section: NA
Object Name: SSH
Target URL: NA
Target Server: 192.168.1.20
Target Port: NA
Database: NA
Domain: NA

ShareGraph

This sectin include an experimental interactive graph for exploring share relationships.
Nodes: 0   Edges: 0
 Selected Node: None
Graph ToolBar
Seach Nodes
 0
Find Paths

Content goes here...

Exploit

This section provides some tips for exploiting share access. Consider reviewing this blog for reference.

Share Access Instructions
C$, admin$ READ Read OS and Application password files and log in.
Identify non-public information disclosure.
C$, admin$ WRITE Read OS and Application password files and log in.
Identify non-public information disclosure.
Execute arbitrary code by writing files to autorun locations:
DLL Hijacking
All Users folders
Other file based autoruns
EXE Replacement
wwwroot,inetpub,webroot READ Read connection strings and escalation through database.
Code - search for file types
Code - search for file contents
wwwroot,inetpub,webroot Write Read connection strings and escalation through database.
Upload webshell to execute as web server service account.

Detect

This section provides some tips for detecting potentially malicious share scanning events.

Action Detection Guidance
Detect Share Scanning Data Sources
Ensure that group policy audit settings are configured so that authentication successes and failures are logged so that real-time analysis and offline analysis can be used to identify common indicators of compromise. Specifically, ensure the following events IDs are logged and forward to a SIEM solutions.

Logon Success
- Windows Server 2003: 540
- Windows Server 2008-2012: 4624

Logon Failure
- Windows Server 2003: 680
- Windows Server 2008-2012: 4625

Network Share Object was Accessed - All versions: 5140

Detection Thresholds and Indicators
Below is a list of common Indicators of Compromise (IoCs) that can be used to identify potentially SMB scanning. Please note that not all IoCs will work in every environment due false positives generated by legitimate applications and processes. However, in some environments it may be possible to modify IoC thresholds or signatures to reduce the number of false positives to an acceptable level.

Consider creating correlation rules based on Active Directory and Local Windows authentication logs for:
A single system authenticates to many systems via SMB (port 445) in short period of time, and accesses Windows shares. For example, ten or more systems in under a minute. Use the events above to build detections.

Consider implementing a honey pot or canary system that supports SMB shares that can be used to generate alerts when accessed.

Prevention
If network shares are not required, disable them or block access using host-based firewalls. Ensure that sensitive information is not available on these shares. To restrict access under Windows, open Explorer, right-click on each of the shares, go to the 'Sharing' tab, and click on 'Permissions'. From here, add or remove permissions for various users and groups. Guest access to the system should also be revoked and ensure that adequate access controls are in place for each shared resource. NULL sessions should be disabled.
Detect Canaries Build detections for authenticated share access read/write access.

Remediate

This section provides some tips for prioritizing the remediation of shares configured with excessive privileges.

Share Access Impact Description
High Risk Shares Confidentiality, Integrity, Availability, Code Execution
High likelihood. 		Remediate high risk shares. In the context of this report, high risk shares have been defined as shares that provide unauthorized remote access to systems or applications. By default, that includes wwwroot, inetpub, c$, and admin$ shares. However, additional exposures may exist that are not called out beyond that.
Write Access Shares Confidentiality, Integrity, Availability, Code Execution Remediate shares with write access. Write access to shares may allow an attacker to modify data, insert their own users into configuration files to access applications, or leverage write access to execute code on remote systems. Folders that provide write access could also fall victem to ransomware attacks.
Read Access Shares Confidentiality,Code Execution Remediate shares with read access. Read access may provide an attacker with unauthorized access to sensitive data and stored secrets such as passwords and private keys that could be used to gain unauthorized access to systems, applications, and databases.
Top Share Names NA Sub prioritize remediation based on top groups of share names(most common share names). When a large number of systems are configured with the same share, they often represent weak configurations associated with applications and processes.
Top Share Groups NA Sub prioritize remediation based on top share groups that have the same list of files in their directory. This is another way to identify systems that are configured with the same share are associated with the same insecure application deployment or process.
Sub Prioritzation Tips NA Use the detailed .csv files to:

1. Identify share owners with the ShareOwner field. Filter out "BUILTIN\Administrators", "NT AUTHORITY\SYSTEM", and "NT SERVICE\TrustedInstaller" to identify potential asset owners.

2. Filter out shares with a FileCount of 0.

3. Sort shares by LastModifiedDate.

4. Filter for keywords in the FileList.

For example, simple keywords like sql, database, backup, password, etc can help identify additional high risk exposures quickly.

Scan Information

The PowerHuntShares audit script was run against the demo.local Active Directory domain to collect SMB Share data, generate this HTML summary report, and generate the associated csv files that detail potentially excessive share configurations. Below is a the scan summary and an overview of how to use this report.
The scan context and run time information have been provided below.

Domain demo.local
DC DomainController1.demo.local
Start Time 11/07/2024 08:08:31
Stop Time 11/07/2024 08:10:31
Duration 00:02:00.4366393
Src Host workstation10
Src IPs 192.168.40.156
192.168.1.234
Src User demo\testuser

How do I use this report?

Follow the guidance below to get the most out of this report. Click each step for more information.

Review the reports and data insights to get a quick feel for the level of SMB share exposure in your environment.

Reports
The Scan, Computer, Share, and ACL summary sections will provide a summary of the results.

Data Insights
The Data Insights sections are intented to highlight natural data groupings that can help centralize and expedite remediation on scale in Active Directory environments.
Review potentially excessive share ACL entry details in the associated HTML and CSV files.
Review the definitions below to ensure you understand what was targeted and how privileges have been qualified as excessive.

Excessive Privileges
In the context of this report, excessive read and write share permissions have been defined as any network share ACL containing an explicit entry for the "Everyone", "Authenticated Users", "BUILTIN\Users", "Domain Users", or "Domain Computers" groups. All provide domain users access to the affected shares due to privilege inheritance.

Please note that share permissions can be overruled by NTFS permissions. Also, be aware that testing excluded share names containing the following keywords: "print$", "prnproc$", "printer", "netlogon",and "sysvol".

High Risk Shares
In the context of this report, high risk shares have been defined as shares that provide unauthorized remote access to a system or application. By default, that includes wwwroot, inetpub, c$, and admin$ shares. However, additional exposures may exist that are not called out beyond that.
Follow the guidance in the Exploit Share Access, Detect Share Access, and Prioritize Remediation sections.
Collect SMB Share data and generate this HTML report by running Invoke-HuntSMBShares.ps1 audit script.
The command examples below can be used to identify potentially malicious share permissions.

From Domain System
Invoke-HuntSMBShares -Threads 20 -RunSpaceTimeOut 10 -OutputDirectory c:\folder\

From Non-Domain System
runas /netonly /user:domain\user PowerShell.exe
Import-Module Invoke-HuntSMBShares.ps1
Invoke-HuntSMBShares -Threads 20 -RunSpaceTimeOut 10 -OutputDirectory c:\folder\ -DomainController 10.1.1.1 -Username domain\user -Password password