This artifact displays the access control lists of files.
Note: This artifact uses Powershell to gather the information.
name: Windows.System.AccessControlList
description: |
This artifact displays the access control lists of files.
Note: This artifact uses Powershell to gather the information.
type: CLIENT
parameters:
- name: Glob
description: A search expression that will be passed to Powershell
default: C:\Windows\System32\Config\s*
- name: ACLFilter
description: Only show files with ACLs that match this regex.
default: BUILTIN\\Users.+Allow
sources:
- precondition:
SELECT OS From info() where OS = 'windows' OR OS = 'linux' OR OS = 'darwin'
query: |
LET Script <= tempfile(data='''
$glob = $args[0]
Get-Acl $glob | select Path, Owner, Group, AccessToString | convertto-json
''', extension=".ps1")
LET Results = SELECT parse_json_array(data=Stdout) AS Rows
FROM execve(argv=["powershell", "-executionpolicy",
"bypass", "-file", Script, Glob], length=100000)
SELECT * FROM foreach(row=Results.Rows,
query={
SELECT parse_string_with_regex(string=Path, regex="FileSystem::(.+)").g1 AS Path,
Owner, Group, split(string=AccessToString, sep="\n") AS ACLS
FROM _value
})
WHERE ACLS =~ ACLFilter