Giters

nccgroup / WindowsDACLEnumProject

A collection of tools to enumerate and analyse Windows DACLs

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Windows DACL Enum Project

A collection of tools to enumerate and analyse Windows DACLs

Released as open source by NCC Group Plc - http://www.nccgroup.com/

Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com

https://github.com/nccgroup/WindowsDACLEnumProject

Released under AGPL see LICENSE for more information

Overview of Windows DACLs and ACEs

Read - http://msdn.microsoft.com/en-us/library/windows/desktop/aa446597(v=vs.85).aspx

Tool #1: Process Perms

Features

The first tool released as part of this project. Will enumerate:

  • Processes and the integrity level and user they are running as.
  • Optionally: the DACLs associated with the process object.
  • Optionally: the threads for a process and the DACLs associated with them.
  • Optionally: The modules loaded by a process
  • Optionally: Exclude non mapped SIDs from the output

The tool will automatically flag any suspicious DACLs.

Command Line Options

The command line take the following options:

  • -p Process permissions
  • -m Modules
  • -t Threads and permissions
  • -o [PID]
  • -x exclude non mapped SIDs from alerts
Typical Usage

Typical usage will be with a command line such as: processperms -px

The tool is designed for Windows Vista / Server 2008 and higher due to integrity level awareness.

Screenshot

======= Designed for Windows Vista / Server 2008 and higher due to integrity level awareness.

ScreenShot

Tool #2: Window Stations and Desktops

Features

The second tool released as part of this project. Will enumerate:

  • Window Stations within the session that it is executed and the associated DACL
  • Desktops within those Window Stations and the associated DACLs

Tool #3: Services

Features

The third tool released as part of this project. Will enumerate:

  • Services including kernel drivers, filter drivers and user land services.
  • DACLs associated with the service entries in the service control manager.
  • Service status, PID, binary path.
  • DACLs associated with with the binaries associated
  • Flag obviously weak DACLs

Tool #4: File System

Features

The fourth tool released as part of this project. Will enumerate:

  • Files and access control lists
  • Directories and access control lists
  • Alert on files or directories with access control which appear weak

Tool #5: Registry

Features

The fifth tool released as part of this project. Will enumerate:

  • Registry keys and access control lists
  • Alert on keys with access control which appear weak
  • -s parameter to exclude all but the most suspicious output (see -h).
  • -x paramater to only alert on suspicious output (see -h).

About

A collection of tools to enumerate and analyse Windows DACLs

License:GNU Affero General Public License v3.0

Languages

Language:C++ 92.6%Language:C 7.1%Language:Batchfile 0.3%