Awesome
Windows DACL Enum Project
A collection of tools to enumerate and analyse Windows DACLs
Released as open source by NCC Group Plc - http://www.nccgroup.com/
Developed by Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
https://github.com/nccgroup/WindowsDACLEnumProject
Released under AGPL see LICENSE for more information
Overview of Windows DACLs and ACEs
Read - http://msdn.microsoft.com/en-us/library/windows/desktop/aa446597(v=vs.85).aspx
Tool #1: Process Perms
Features
The first tool released as part of this project. Will enumerate:
- Processes and the integrity level and user they are running as.
- Optionally: the DACLs associated with the process object.
- Optionally: the threads for a process and the DACLs associated with them.
- Optionally: The modules loaded by a process
- Optionally: Exclude non mapped SIDs from the output
The tool will automatically flag any suspicious DACLs.
Command Line Options
The command line take the following options:
- -p Process permissions
- -m Modules
- -t Threads and permissions
- -o [PID]
- -x exclude non mapped SIDs from alerts
Typical Usage
Typical usage will be with a command line such as: processperms -px
The tool is designed for Windows Vista / Server 2008 and higher due to integrity level awareness.
Screenshot
======= Designed for Windows Vista / Server 2008 and higher due to integrity level awareness.
Tool #2: Window Stations and Desktops
Features
The second tool released as part of this project. Will enumerate:
- Window Stations within the session that it is executed and the associated DACL
- Desktops within those Window Stations and the associated DACLs
Tool #3: Services
Features
The third tool released as part of this project. Will enumerate:
- Services including kernel drivers, filter drivers and user land services.
- DACLs associated with the service entries in the service control manager.
- Service status, PID, binary path.
- DACLs associated with with the binaries associated
- Flag obviously weak DACLs
Tool #4: File System
Features
The fourth tool released as part of this project. Will enumerate:
- Files and access control lists
- Directories and access control lists
- Alert on files or directories with access control which appear weak
Tool #5: Registry
Features
The fifth tool released as part of this project. Will enumerate:
- Registry keys and access control lists
- Alert on keys with access control which appear weak
- -s parameter to exclude all but the most suspicious output (see -h).
- -x paramater to only alert on suspicious output (see -h).