diff --git a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs index 0cc2e08..21ba4b9 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/ApplicationsInfo.cs @@ -244,6 +244,7 @@ namespace winPEAS.Checks Dictionary colorsD = new Dictionary() { { "Permissions.*", Beaprint.ansi_color_bad }, + { "Capcom.sys", Beaprint.ansi_color_bad }, { pathDriver.Replace("\\", "\\\\").Replace("(", "\\(").Replace(")", "\\)").Replace("]", "\\]").Replace("[", "\\[").Replace("?", "\\?").Replace("+","\\+"), (fileRights.Count > 0 || dirRights.Count > 0) ? Beaprint.ansi_color_bad : Beaprint.ansi_color_good }, }; diff --git a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs index bccea25..5b8277a 100644 --- a/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs +++ b/winPEAS/winPEASexe/winPEAS/Checks/FilesInfo.cs @@ -127,6 +127,7 @@ namespace winPEAS.Checks PrintRecycleBin, PrintHiddenFilesAndFolders, PrintOtherUsersInterestingFiles + PrintExecutablesInNonDefaultFoldersWithWritePermissions, }.ForEach(action => CheckRunner.Run(action, isDebug)); } @@ -643,5 +644,46 @@ namespace winPEAS.Checks } } } + + private void PrintExecutablesInNonDefaultFoldersWithWritePermissions() + { + Beaprint.MainPrint($"Searching executable files in non-default folders with write (equivalent) permissions (can be slow)"); + + var systemDrive = $"{Environment.GetEnvironmentVariable("SystemDrive")}\\"; + + var excludedDirs = new HashSet() + { + @"c:\esupport", + @"c:\perflogs", + @"c:\programdata", + @"c:\program files(x86)", + @"c:\program files", + @"c:\windows", + @"c:\windows.old", + }; + + var allowedExtensions = new HashSet() + { + ".bat", + ".exe", + ".ps1" + }; + + var files = SearchHelper.GetFilesFast(systemDrive, "*", excludedDirs); + + foreach (var file in files) + { + if (file.Extension != null && allowedExtensions.Contains(file.Extension.ToLower())) + { + // check the file permissions + List fileRights = PermissionsHelper.GetPermissionsFile(file.FullPath, Checks.CurrentUserSiDs, isOnlyWriteOrEquivalentCheck: true); + + if (fileRights.Count > 0) + { + Beaprint.BadPrint($" File Permissions \"{file.FullPath}\": " + string.Join(",", fileRights)); + } + } + } + } } }