https://attack.mitre.org/techniques/T1222/001/
Image: C:\Windows\system32\icacls.exe
cmdline: ICACLS . /GRANT EVERYONE:F /T /C /Q
icacls C:\Windows\System32\config\sam
C:\Users\Avi\Desktop>cacls TestCACLS /p Users:n (n for no control)
now on the TestCACLS folder, no one can access.
C:\Users\Avi\Desktop>cacls TestCACLS /p Users:f (f for full control)
now can access.
https://ss64.com/nt/cacls.html
Check Permissions
Force Remove
THen add Read + Execute
Validate Permissions
icacls putty.exe
icacls putty.exe /deny tsa_admin:(F)
icacls putty.exe /grant:r tsa_admin:(RX)
icacls putty.exe
icacls "%WINDIR%\system32\msimg64.dll" /grant administrators:F
Detection:
windows security log events (event id 4670) are created when DACLs are modified.
Inheritance rights are represented by the following abbreviations:
OI object inherit
CI container inherit
IO inherit only
NP do not propagate inherit
NTFS permissions are represented by one of the following forms:
N no access
F full access
M modify access
R read only access
RX read and execute access
W write access
D delete access
attacker can interact with the DACLs using built-in windows commands such as, icacls, cacls, takedown, attrib which allow adversaries higher permissions on
icacls <file_name> /reset replace acls with default inherited acls. (reset permission)
Comments
Post a Comment