search
Infiltr8ForumGitHub
githubEdit

FIle/Folder ACLs

MITRE ATT&CK™ File and Directory Discovery - Technique T1083

hashtag
Theory

An Access Control List (ACL) consists of Access Control Entries (ACEs), each specifying access rights for a trustee. There are two main types of ACLs within a security descriptor for a securable object: the Discretionary Access Control List (DACL) and the System Access Control List (SACL).

  • Discretionary Access Control List (DACL): The DACL identifies trustees permitted or denied access to a securable object.

  • System Access Control List (SACL): The SACL permits administrators to record access attempts to secured objects.

Understanding the compromised machine's characteristics is essential. Enumerating File and Folder ACLs is critical part of this process. This process includes investigating who has access to critical files, what level of access is granted, and whether there are misconfigured permissions that could potentially lead to unauthorized access, data leakage, or privilege escalation.

hashtag
Practice

hashtag
Find Writable Files/Folders

We can find all writable folders and files for our current user using the following command

Get-ChildItem "c:\" -Recurse -ErrorAction SilentlyContinue | ForEach-Object { $fileName = $_.FullName; $acls = Get-Acl $fileName -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Access | Where-Object { $_.FileSystemRights -match "Full|Modify|Write" -and $_.IdentityReference -match "Authenticated Users|Everyone|$env:username" }; if ($acls -ne $null) { [pscustomobject]@{ filename = $fileName; user = $acls | Select-Object -ExpandProperty IdentityReference } } } 2>$null |fl

hashtag
Resources

LogoAccess Control Lists - Win32 appsMicrosoftLearnchevron-right
LogoFile and Directory Discovery, Technique T1083 - Enterprise | MITRE ATT&CK®attack.mitre.orgchevron-right

Last updated