Permission Checking and rules for it

[cmprmsd]

Hey l0ss!

I think we forgot to open a new issue for the permission checks discussed in #84
I just noticed that the permissions are still hardcoded and thought, it may be worth a shot to get this done.

You mentioned a better way that you worked on in group3r. I'll have a look at it if I find some spare time.

For the future it would make sense to have rules to identify e.g. folders like Microsoft's autostart folder write access in order to place some evil stuff in it during engagements.
We could brainstorm also on some other folders that might be critical like wwwroot or /var/www.

Have a great weekend!

[l0ss]

Yeah Group3r has the better method in it - it's still imperfect but it's as good as it's going to get without a bunch of noisy NetLocalGroupEnum stuff.

Off the top of my head, writable things that should be considered interesting:
Webroots like those you mentioned above
Any executable file type or xml or inf file in the SYSVOL Policies dir
All kinds of stuff in the user's homedir - it would be good to write these rules so they can properly identify cases where they're remapping the user's desktop etc to a share as this seems to be pretty common.

[l0ss]

ok so the aclcrimes branch should have the ability to semi-accurately get the R/W/M status of a file if you wanna take that for a spin. If that's all working properly it shouldn't be too hard to make it possible to write rules for it too.

[l0ss]

@cmprmsd reminder to please test the aclcrimes branch out.

[cmprmsd]

Nooooooo! I l0ss't track of this issue!

package main

import (
"fmt"
"math/rand"
"time"
)

func main() {
rand.Seed(time.Now().Unix())

excuses := []string{"I have a lot of work to do for my job.", "I have a lot of errands to run.", "I have a lot of family responsibilities.", "I'm in the middle of a big project for school.", "I'm training for a marathon.", "I have a lot of social commitments.", "I have a lot of appointments to attend.", "I'm trying to catch up on sleep."}

fmt.Println(excuses[rand.Intn(len(excuses))])
}

I'll check it out asap! Thanks for implementing this functionality! I'll also share some additional rules 🍀

[cmprmsd]

Did a quick run in a DetectionLab. On local drives it seems to randomly display R W (M) or just R.
I could not find a clear pattern.

On network drives e.g. the DC only R was shown.
I might have issues with using a local user vagrant right from the initial lab setup that has local admin rights everywhere.
Will retry with a domain user tomorrow.

[cmprmsd]

Just did this right away ^^
Observations with a domain user (administrative):

• The shares all show up with R only although e.g. for \dc\C$ there is write access
  
  
• The flags for W and M seem to show up only on files where explicitly permissions are set for the user (vagrant) as you can see here where program files shows up as read-only but the vagrant user folder shows up as writable:
  

[cmprmsd]

@l0ss Anything I can do to help you out on this one? I just stumbled over this issue. 😄