PSAccessFinder
This Powershell script search recursive for folders where the current user has Write, Modify or FullControl permissions. Its meant to find insufficient permissions that can be used for DLL Hijacking or to bypass AppLocker.
If it found a folder with permissions, it skipps the subfolders of them.
Features
- prevents some time-consuming Windows folders, modify them in the
$global:skippFolders
array - supports german and english schemas
- check permissions for
- Current User
- BUILTIN Users
- Domain Users
- Authenticated Users
- when reading from csv input: stepping upwards until a folder exist and checks again the permissions
- check services and parent folder permissions
- check system environment variable pathes
- service filter: all, non windows, unquoted
Syntax
C:\PS\PSAccessFinder>.\findWriteAccess.ps1 [[-startfolder] <String>] [[-inputCSV] <String>] [-envCheck] [-services] [[-serviceFilter] <Int32>] [-noRecurse]
[-noSkip] [-checkParents] [[-verbose] <Int32>] [-formatList]
Examples
Recursive Check of Subolders
check permissions in sub directories, starting at the current directory
C:\PS>.\findWriteAccess.ps1
check permissions in sub directories, starting at the defined start folder, as this could take some time, add verbose 1 to instantly print matching folders
C:\PS>.\findWriteAccess.ps1 -startfolder "C:\Users\Admin" -verbose 1
CSV Input
use a csv containing a coloumn "Path" and "Process Name" to check, usually you will take a export from procmon.exe, verbose 2 will instantly print matching and also folders with no permissions, -formatList will print the output as a list
C:\PS>.\findWriteAccess.ps1 -procInput .\Logfile.CSV -verbose 2 -formatList
System Environment Variables
Check for write access in system environment variable pathes
C:\PS>.\findWriteAccess.ps1 -envCheck
Services
retrieve all services with path to the executables and check access of these folders
C:\PS>.\findWriteAccess.ps1 -services
show all unquoted non windows services and check permissons also of the parent folders
C:\PS>.\findWriteAccess.ps1 -services -serviceFilter 2 -verbose 1 -checkParents
Error Handling
if you get errors like this after copy pasting the script:
.....char:38
$global.authSchema = "NT-AUTORIT.."
unexpected token 'T\Authentifizerte`' in expression or statement.
you need to save the script with UTF-8-BOM encoding.
Remarks
To see the examples, type: "Get-Help findWriteAccess.ps1 -Examples"
For more information, type: "Get-Help findWriteAccess.ps1 -Detailed"
For technical information, type: "Get-Help findWriteAccess.ps1 -Full"
For online help, type: "Get-Help findWriteAccess.ps1 -Online"