Fix for Weak Folder and Registry Permissions
Fix for Weak Folder and Registry Permissions Preventing Hackers Replacing Approved Program Files.
Here's another fix for a common attack vector against Windows, weak Folder and Registry permissions allowing the attacker to inject their code and replace an approved applications program file. Previously covered the attack (here).
Validates that Registry paths to Services and Software do not allow Users, Authenticates Users or Everyone modify keys to update the settings and repoint to malware.
Validates any folder that is not created by default does not allow Users, Authenticated Users or Everyone 'Write' and 'Execute', resets to 'Read' and 'Execute'.
Validates System Folders do not allow Users, Authenticated Users or Everyone 'Write' permissions, resets to 'Read' and 'Execute'
Further informaiton on these attacks can be found @ https://www.tenaka.net/unquotedpaths
Download the text file at the bottom of the page, rename the extension to .ps1 and run as administrator. Of course normal rules apply, its at your own risk, so test first.
Function WriteablFiles
{
<#
.Synopsis
.DESCRIPTION
.EXAMPLE
.VERSION
210617.01 - Created
#>
$secure10 = "C:\Secure10"
$OutFunc = "WriteableFiles"
$tpSec10 = Test-Path "C:\Secure10\output\$OutFunc\"
if ($tpSec10 -eq $false)
{
New-Item -Path "C:\Secure10\output\$OutFunc\" -ItemType Directory -Force
}
$lpath = "C:\Secure10\output\$OutFunc\" + "$OutFunc.log"
#Folder\Directory Permissions
$inherNone = [System.Security.AccessControl.InheritanceFlags]::None
$propNone = [System.Security.AccessControl.PropagationFlags]::None
$inherCnIn = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
$propInOn = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$inherObIn = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$propNoPr = [System.Security.AccessControl.PropagationFlags]::NoPropagateInherit
$hfiles = Get-ChildItem C:\ | where {$_.Name -eq "PerfLogs" -or `
$_.Name -eq "Program Files" -or `
$_.Name -eq "Program Files (x86)" }# -or `
# $_.Name -eq "Windows"}
$filehash = @()
foreach ($hfile in $hfiles.fullname)
{
$subfl = Get-ChildItem -Path $hfile -force -Recurse -Include *.exe, *.dll
$filehash+=$subfl
$filehash
}
foreach ($cfile in $filehash.fullname)
{
$cfileAcl = Get-Acl $cfile -ErrorAction SilentlyContinue
if ($cfileAcl | where {$_.accesstostring -like "*Users Allow Write*" -or $_.accesstostring -like "*Users Allow Modify*" -or $_.accesstostring -like "*Users Allow FullControl*"})
{
$cfile | Out-File $lpath -Append
Write-Host $cfile -ForegroundColor green
$aclInh = get-acl $cfile
$aclInh.SetAccessRuleProtection($false,$true)
Set-Acl $cfile $aclInh
$getAcl = Get-Acl $cfile
$cfileacc = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","READ","None","None","Allow")
$getAcl.SetAccessRule($cfileacc)
Set-Acl $cfile $getAcl
}
if ($cfileAcl | where {$_.accesstostring -like "*Everyone Allow Write*" -or $_.accesstostring -like "*Everyone Allow Modify*" -or $_.accesstostring -like "*Everyone Allow FullControl*"})
{
$cfile | Out-File $lpath -Append
Write-Host $cfile -ForegroundColor green
$aclInh = get-acl $cfile
$aclInh.SetAccessRuleProtection($false,$true)
Set-Acl $cfile $aclInh
$getAcl = Get-Acl $cfile
$cfileacc = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","READ","None","None","Allow")
$getAcl.SetAccessRule($cfileacc)
Set-Acl $cfile $getAcl
}
if ($cfileAcl | where {$_.accesstostring -like "*Authenticated Users Allow Write*" -or $_.accesstostring -like "*Authenticated Users Allow Modify*" -or $_.accesstostring -like "*Authenticated Users Allow FullControl*"})
{
$cfile | Out-File $lpath -Append
Write-Host $cfile -ForegroundColor green
$aclInh = get-acl $cfile
$aclInh.SetAccessRuleProtection($false,$true)
Set-Acl $cfile $aclInh
$getAcl = Get-Acl $cfile
$cfileacc = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\Authenticated Users","READ","None","None","Allow")
$getAcl.SetAccessRule($cfileacc)
Set-Acl $cfile $getAcl
}
}
}
Function WriteableFolders
{
<#
.Synopsis
.DESCRIPTION
.EXAMPLE
.VERSION
210617.01 - Created
#>
$secure10 = "C:\Secure10"
$OutFunc = "WriteableFolders"
$tpSec10 = Test-Path "C:\Secure10\output\$OutFunc\"
if ($tpSec10 -eq $false)
{
New-Item -Path "C:\Secure10\output\$OutFunc\" -ItemType Directory -Force
}
$lpath = "C:\Secure10\output\$OutFunc\" + "$OutFunc.log"
#Removes Users\Auth Users Root Modify
& icacls.exe c:\ /remove:g "Authenticated Users"
#Folder\Directory Permissions
$inherNone = [System.Security.AccessControl.InheritanceFlags]::None
$propNone = [System.Security.AccessControl.PropagationFlags]::None
$inherCnIn = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit
$propInOn = [System.Security.AccessControl.PropagationFlags]::InheritOnly
$inherObIn = [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
$propNoPr = [System.Security.AccessControl.PropagationFlags]::NoPropagateInherit
#Additional Folders off the root of C: that are not system
$hfolders = Get-ChildItem c:\ | where {$_.Name -ne "PerfLogs" -and `
$_.Name -ne "Program Files" -and `
$_.Name -ne "Program Files (x86)" -and `
$_.Name -ne "Users" -and `
$_.Name -ne "Windows"}
$foldhash = @()
foreach ($hfold in $hfolders.fullname)
{
$subfl = Get-ChildItem -Path $hfold -Directory -Recurse -Force
$foldhash+=$hfolders
$foldhash+=$subfl
}
foreach ($cfold in $foldhash.fullname)
{
$cfoldAcl = Get-Acl $cfold -ErrorAction SilentlyContinue
if ($cfoldAcl | where {$_.accesstostring -like "*Users Allow Write*" -or $_.accesstostring -like "*Users Allow Modify*" -or $_.accesstostring -like "*Users Allow FullControl*"})
{
$cfold | Out-File $lpath -Append
Write-Host $cfold -ForegroundColor green
$aclInh = get-acl $cfold
$aclInh.SetAccessRuleProtection($false,$false)
Set-Acl $cfold $aclInh
$getAcl = Get-Acl $cfold
$cfileacc = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","ReadAndExecute","$inherCnIn ,$inherObIn","None","Allow")
$getAcl.SetAccessRule($cfileacc)
#$getAcl.removeAccessRuleAll($cfileacc)
Set-Acl $cfold $getAcl
}
if ($cfoldAcl | where {$_.accesstostring -like "*Everyone Allow Write*" -or $_.accesstostring -like "*Everyone Allow Modify*" -or $_.accesstostring -like "*Everyone Allow FullControl*"})
{
$cfold | Out-File $lpath -Append
Write-Host $cfold -ForegroundColor cyan
$aclInh = get-acl $cfold
$aclInh.SetAccessRuleProtection($false,$false)
Set-Acl $cfold $aclInh
$getAcl = Get-Acl $cfold
$cfileacc = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","ReadAndExecute","$inherCnIn ,$inherObIn","None","Allow")
$getAcl.SetAccessRule($cfileacc)
#$getAcl.removeAccessRuleAll($cfileacc)
Set-Acl $cfold $getAcl
}
if ($cfoldAcl | where {$_.accesstostring -like "*Authenticated Users Allow Write*" -or $_.accesstostring -like "*Authenticated Users Allow Modify*" -or $_.accesstostring -like "*Authenticated Users Allow FullControl*"})
{
$cfold | Out-File $lpath -Append
Write-Host $cfold -ForegroundColor yellow
$aclInh = get-acl $cfold
$aclInh.SetAccessRuleProtection($false,$false)
Set-Acl $cfold $aclInh
$getAcl = Get-Acl $cfold
$cfileacc = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\Authenticated Users","ReadAndExecute","$inherCnIn ,$inherObIn","None","Allow")
$getAcl.SetAccessRule($cfileacc)
#$getAcl.removeAccessRuleAll($cfileacc)
Set-Acl $cfold $getAcl
}
}
<#
.Synopsis
.DESCRIPTION
.EXAMPLE
.VERSION
210617.01 - Created
#>
$hfolders = Get-ChildItem C:\ | where {$_.Name -eq "PerfLogs" -or `
$_.Name -eq "Program Files" -or `
$_.Name -eq "Program Files (x86)" -or `
$_.Name -eq "Windows"}
$foldhash = @()
foreach ($hfold in $hfolders.fullname)
{
$subfl = Get-ChildItem -Path $hfold -Directory -Recurse -Force
$foldhash+=$subfl
}
foreach ($cfold in $foldhash.fullname)
{
$cfoldAcl = Get-Acl $cfold -ErrorAction SilentlyContinue
if ($cfoldAcl | where {$_.accesstostring -like "*Users Allow Write*" -or $_.accesstostring -like "*Users Allow Modify*" -or $_.accesstostring -like "*Users Allow FullControl*"})
{
$cfold | Out-File $lpath -Append
Write-Host $cfold -ForegroundColor green
$aclInh = get-acl $cfold
$aclInh.SetAccessRuleProtection($false,$false)
Set-Acl $cfold $aclInh
$getAcl = Get-Acl $cfold
$cfileacc = New-Object System.Security.AccessControl.FileSystemAccessRule("Users","ReadAndExecute","$inherCnIn ,$inherObIn","None","Allow")
#$getAcl.SetAccessRule($cfileacc)
$getAcl.removeAccessRuleAll($cfileacc)
Set-Acl $cfold $getAcl
}
if ($cfoldAcl | where {$_.accesstostring -like "*Everyone Allow Write*" -or $_.accesstostring -like "*Everyone Allow Modify*" -or $_.accesstostring -like "*Everyone Allow FullControl*"})
{
$cfold | Out-File $lpath -Append
Write-Host $cfold -ForegroundColor cyan
$aclInh = get-acl $cfold
$aclInh.SetAccessRuleProtection($false,$false)
Set-Acl $cfold $aclInh
$getAcl = Get-Acl $cfold
$cfileacc = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone","ReadAndExecute","$inherCnIn ,$inherObIn","None","Allow")
$getAcl.SetAccessRule($cfileacc)
#$getAcl.removeAccessRuleAll($cfileacc)
Set-Acl $cfold $getAcl
}
if ($cfoldAcl | where {$_.accesstostring -like "*Authenticated Users Allow Write*" -or $_.accesstostring -like "*Authenticated Users Allow Modify*" -or $_.accesstostring -like "*Authenticated Users Allow FullControl*"})
{
$cfold | Out-File $lpath -Append
Write-Host $cfold -ForegroundColor yellow
$aclInh = get-acl $cfold
$aclInh.SetAccessRuleProtection($false,$false)
Set-Acl $cfold $aclInh
$getAcl = Get-Acl $cfold
$cfileacc = New-Object System.Security.AccessControl.FileSystemAccessRule("NT AUTHORITY\Authenticated Users","ReadAndExecute","$inherCnIn ,$inherObIn","None","Allow")
$getAcl.SetAccessRule($cfileacc)
#$getAcl.removeAccessRuleAll($cfileacc)
Set-Acl $cfold $getAcl
}
}
}
Function WriteableRegistry
{
<#
.Synopsis
.DESCRIPTION
.EXAMPLE
.VERSION
210617.01 - Created
#>
$secure10 = "C:\Secure10"
$OutFunc = "WriteableReg"
$tpSec10 = Test-Path "C:\Secure10\output\$OutFunc\"
if ($tpSec10 -eq $false)
{
New-Item -Path "C:\Secure10\output\$OutFunc\" -ItemType Directory -Force
}
$lpath = "C:\Secure10\output\$OutFunc\" + "$OutFunc.log"
$inherObIn = [System.Security.AccessControl.InheritanceFlags]::"ObjectInherit"
#Registry Permissions
$HKLMSvc = 'HKLM:\SYSTEM\CurrentControlSet\Services'
$HKLMSoft = 'HKLM:\Software'
$HKLMCheck = $HKLMSoft,$HKLMSvc
Foreach ($key in $HKLMCheck)
{
#Get a list of key names and make a variable
cd hklm:
$SvcPath = Get-childItem $key -Recurse -Depth 1 | where {$_.Name -notlike "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*"}
#Update HKEY_Local.... to HKLM:
$RegList = $SvcPath.name.replace("HKEY_LOCAL_MACHINE","HKLM:")
Foreach ($regPath in $RegList)
{
$acl = Get-Acl $regPath
$acc = $acl.AccessToString
Write-Output $regPath
foreach ($ac in $acc)
{
if ($ac | Select-String -SimpleMatch "BUILTIN\Users Allow FullControl")
{
$regPath | Out-File $lpath -Append
Write-Host $regPath -ForegroundColor red
$getAcl = Get-Acl $regPath
$RegAcc = New-Object System.Security.AccessControl.RegistryAccessRule("Users","READKEY","$inherObIn","none","Allow")
$getAcl.SetAccessRule($RegAcc)
Set-Acl $regPath $getAcl
}
if ($ac | Select-String -SimpleMatch "NT AUTHORITY\Authenticated Users Allow FullControl")
{
$regPath | Out-File $lpath -Append
Write-Host $regPath -ForegroundColor yellow
$getAcl = Get-Acl $regPath
$RegAcc = New-Object System.Security.AccessControl.RegistryAccessRule("Authenticated Users","READKEY","$inherObIn","none","Allow")
$getAcl.SetAccessRule($RegAcc)
Set-Acl $regPath $getAcl
}
if ($ac | Select-String -SimpleMatch "Everyone Allow FullControl")
{
$regPath | Out-File $lpath -Append
Write-Host $regPath -ForegroundColor cyan
$getAcl = Get-Acl $regPath
$RegAcc = New-Object System.Security.AccessControl.RegistryAccessRule("Everyone","READKEY","$inherObIn","none","Allow")
$getAcl.SetAccessRule($RegAcc)
Set-Acl $regPath $getAcl
}
}
}
}
}
WriteableRegistry
WriteablFiles
WriteableFolders