Folder and Registry Permission Vulnerability Validation

Incorrect Folder or Registry permissions will allow an attacker with User level privileges to potential gain system by allowing the insertion of malware in to the service execution path or by updating the Registry path to point to the malware.


#Whos running the script

$who = (whoami).split("\")[1]

$outFile = "C:\users\$who\Desktop\VulnApps.txt" 


#Unquoted paths

"UnQuoted Path Vulnerabilities" | Out-File $outFile

"" | Out-File $outFile -Append


$vulnSvc = gwmi win32_service | foreach{$_} | 

    where {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | 

    where {-not $_.pathname.startswith("`"")} | 

    where {($_.pathname.substring(0, $_.pathname.indexof(".exe") + 4 )) -match ".* .*" }


$vulnSvc.name | out-file $outFile -Append


#Registry Permissions

" " | Out-File $outFile -Append

"Registry Paths where User has Full Control" | Out-File $outFile -Append


$HKLMSvc = 'HKLM:\SYSTEM\CurrentControlSet\Services'

$HKLMSoft = 'HKLM:\Software'

$HKLMCheck = $HKLMSvc,$HKLMSoft


Foreach ($key in $HKLMCheck) {


#Get a list of key names and make a variable

cd hklm:

$SvcPath = Get-childItem $key


#Update HKEY_Local.... to HKLM:

$SvcList = $SvcPath.name.replace("HKEY_LOCAL_MACHINE","HKLM:")

    Foreach ($inhe in $SvcList)

    {

    $acl = Get-Acl $inhe 

    $acc = $acl.AccessToString

            foreach ($ac in $acc)

            {

            if ($ac | Select-String -SimpleMatch "BUILTIN\Users Allow  FullControl"){$acl.path | Out-File $outFile -Append} 

            if ($ac | Select-String -SimpleMatch "NT AUTHORITY\Authenticated Users Allow  FullControl"){$acl.path | Out-File $outFile -Append}

            }

    }

}


#Folder\Directory Permissions


" " | Out-File $outFile -Append

"Folders where the User has Mod or Full in Program Files" | Out-File $outFile -Append


$folders = Get-ChildItem  'C:\Program Files\','C:\Program Files (x86)'  | where {$_.PSIsContainer}


foreach ($fold in $folders)


{


$foldAcl = Get-Acl $fold.FullName

    foreach ($foldAcc in $foldAcl)


    {

    if ($foldAcc.AccessToString | Select-String -SimpleMatch "BUILTIN\Users Allow  FullControl"){$fold.FullName | Out-File $outFile -Append}

    if ($foldAcc.AccessToString | Select-String -SimpleMatch "BUILTIN\Users Allow  Modify, Synchronize"){$fold.FullName | Out-File $outFile -Append}

    if ($foldAcc.AccessToString | Select-String -SimpleMatch "NT AUTHORITY\Authenticated Users Allow  FullControl"){$fold.FullName | Out-File $outFile -Append}

    if ($foldAcc.AccessToString | Select-String -SimpleMatch "NT AUTHORITY\Authenticated Users Allow  Modify, Synchronize"){$fold.FullName | Out-File $outFile -Append}


    }

}

start notepad.exe $outFile