Folder and Registry Permission Vulnerability Validation
Incorrect Folder or Registry permissions will allow an attacker with User level privileges to potential gain system by allowing the insertion of malware in to the service execution path or by updating the Registry path to point to the malware.
#Whos running the script
$who = (whoami).split("\")[1]
$outFile = "C:\users\$who\Desktop\VulnApps.txt"
#Unquoted paths
"UnQuoted Path Vulnerabilities" | Out-File $outFile
"" | Out-File $outFile -Append
$vulnSvc = gwmi win32_service | foreach{$_} |
where {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} |
where {-not $_.pathname.startswith("`"")} |
where {($_.pathname.substring(0, $_.pathname.indexof(".exe") + 4 )) -match ".* .*" }
$vulnSvc.name | out-file $outFile -Append
#Registry Permissions
" " | Out-File $outFile -Append
"Registry Paths where User has Full Control" | Out-File $outFile -Append
$HKLMSvc = 'HKLM:\SYSTEM\CurrentControlSet\Services'
$HKLMSoft = 'HKLM:\Software'
$HKLMCheck = $HKLMSvc,$HKLMSoft
Foreach ($key in $HKLMCheck) {
#Get a list of key names and make a variable
cd hklm:
$SvcPath = Get-childItem $key
#Update HKEY_Local.... to HKLM:
$SvcList = $SvcPath.name.replace("HKEY_LOCAL_MACHINE","HKLM:")
Foreach ($inhe in $SvcList)
{
$acl = Get-Acl $inhe
$acc = $acl.AccessToString
foreach ($ac in $acc)
{
if ($ac | Select-String -SimpleMatch "BUILTIN\Users Allow FullControl"){$acl.path | Out-File $outFile -Append}
if ($ac | Select-String -SimpleMatch "NT AUTHORITY\Authenticated Users Allow FullControl"){$acl.path | Out-File $outFile -Append}
}
}
}
#Folder\Directory Permissions
" " | Out-File $outFile -Append
"Folders where the User has Mod or Full in Program Files" | Out-File $outFile -Append
$folders = Get-ChildItem 'C:\Program Files\','C:\Program Files (x86)' | where {$_.PSIsContainer}
foreach ($fold in $folders)
{
$foldAcl = Get-Acl $fold.FullName
foreach ($foldAcc in $foldAcl)
{
if ($foldAcc.AccessToString | Select-String -SimpleMatch "BUILTIN\Users Allow FullControl"){$fold.FullName | Out-File $outFile -Append}
if ($foldAcc.AccessToString | Select-String -SimpleMatch "BUILTIN\Users Allow Modify, Synchronize"){$fold.FullName | Out-File $outFile -Append}
if ($foldAcc.AccessToString | Select-String -SimpleMatch "NT AUTHORITY\Authenticated Users Allow FullControl"){$fold.FullName | Out-File $outFile -Append}
if ($foldAcc.AccessToString | Select-String -SimpleMatch "NT AUTHORITY\Authenticated Users Allow Modify, Synchronize"){$fold.FullName | Out-File $outFile -Append}
}
}
start notepad.exe $outFile