Sunday, May 18, 2014

Using AccessEnum to hunt down unknown file SIDs - User read/write with ???

AccessEnum is a Windows SysInternals tool that reliably list SIDs and user accounts on Windows 7,8+


"While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. There's no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary." Download AccessEnum

Dowload and run AccessEnum with elevated priveledes and you typically see some positive results:

click large

When I ran AccessEnum on C:\ (root), it revealed some questionable ??? read / write users.



click large
Right-click on the highlighted file reveals;

click large






















the Current Owner: Unable to display current owner. I tried the running icacls in a windows cmd prompt;

PS C:\>ICACLS "C:\windows\winsxs\temp\pendingrenames\01b8c129d167cf01b5070000ec288829.install.ins" /reset /T /C
and it returned Access is denied.

click large




So how do gain access to this file?

Solution - Just drop all current owner and re-create the owners.

click large































Right click, choose Security Tab, Choose Continue which pop-ups another window in which you can Add a good known account, mainly you.

One I did this I could see the file contents of *.install.ins

click large
This file seems innocuous enough, but I am satisfied that I know who controls it now and its not a hacked account.

Now running both of these script worked to reset the the ACL on this file

Windows CMD (Elevated) Script - Download Raw - See Original at wastebin.com - UI upgrade by :)
  1. ICACLS "C:\path\to\folder\filename.extension" /reset /T /C

Running this script add back inheritance to ACL for that directory.

Windows CMD (Elevated) Script - Download Raw - See Original at wastebin.com - UI upgrade by :)
  1. ICACLS "C:\path\to\folder\filename.extension" /inheritance:e /T /C

The result is if you right click on the file you get the correct ACL Group and User Names.
Note: This file name is incorrect the above got deleted but this has same ACL.
click large



1 comment:

  1. I also see the ??? when there is a very long path name. If I click the corresponding file/folder then I can see the security details in the properties dialog.

    ReplyDelete