ShellSpells
  • 🧙‍♂️Welcome!
    • ShellSpells
    • FAQs
    • License & Disclaimer
  • 🐧Linux
    • System Ops
      • Transcripts
      • Help
      • System Info
        • Date/Time
        • System Details
        • Patches & Updates
        • Init System Identification
        • Hostname / Host ID
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Shares
        • Packages
        • Connected Devices
        • Kernel Modules (Drivers)
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Jobs
        • Enumerate
        • Modify
      • Processes
        • Enumerate
        • Modify
        • Custom Script and Shared Object
        • Process I/O Redirection
      • Services
        • Enumerate
        • Modify
        • Create a Service
      • Startup/Boot Scripts
        • Enumerate
        • Modify
      • Security
        • Antivirus
        • Firewall
        • SSH Keys
      • History & Logs
        • History
        • Logs
    • File Ops
      • Search
        • Filename
        • Content
        • Users (Owners)
        • Time
        • Size
        • Permission
        • Hidden Files
        • Inode
        • Find + Exec
        • Notes
      • Enumerate Metadata
      • Modify Metadata
      • Read Content
      • Modify Content
      • Extract Content
      • Sort / Compare / Count
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
    • Terminal Ops
      • Keyboard Shortcuts
      • Tmux Shortcuts
  • 🪟Windows
    • System Ops
      • Transcripts
      • Help
      • System Info
        • One-liners
        • Date/Time
        • System Details
        • Hotfixes
        • Domain or Workgroup
        • Data Execution Prevention
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Installed Software
        • Drivers
        • Shares
      • Registry
        • Enumerate
        • Modify
        • Forensically Relevant Keys
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Tasks
      • Processes
        • Enumerate
        • Modify
      • Services
        • Enumerate
        • Modify
      • Autorun / Startup
        • Enumerate
        • Modify
      • Security
        • Permissions
          • Enumerate
          • Page
        • Antivirus
        • Firewall
          • Enumerate
          • Modify
        • Audit Policies
        • Remoting
          • Enumerate
          • Modify
          • Registry Locations
        • Stored Credentials
      • Remote Command Execution
      • Active Directory
        • Enumerate
        • Modify
      • History & Logs
        • History
        • Logs
      • PowerShell Config
      • Scripting
      • WMIC Notes
    • File Ops
      • Search
        • Filename
        • Time
        • Size
        • Permissions
        • Attributes
        • Wildcarding
      • Enumerate Metadata
        • One Liners
        • Users (Owners)
        • Timestamps
        • Size
        • Permissions
        • Attributes
      • Modify Metadata
        • Change Owner
        • Timestamps
        • Size
        • Attributes
      • Read Content
      • Modify Content
        • Overwrite
        • Insert
        • Append
        • Replace / Remove
        • Convert Case
        • Alternate Data Streams
      • Extract Content
      • Sort / Compare / Count
        • Sort
        • Count
        • Compare
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
      • Output Formatting / Filtering
      • File Formatting
      • Operators
  • ⛓️Network
    • Traffic Manipulation
      • iptables
        • Option List
        • General Commands
        • Filter Tables
        • NAT
        • Mangle
        • Filter for SSH Traffic (Example)
      • nftables
    • Packet Capture
      • Syntax
      • TCPDump Examples
    • Packet Analysis
      • Wireshark
  • 🚗Maneuver
    • SSH
    • Control Sockets
    • RDP
    • Windows Port Proxy
  • 🛩️Data Transfer
    • SCP
    • FTP
    • Netcat
      • Netcat Relays
    • Server Interactions
    • Alternate Methods
  • 🪄REGEX
    • Examples
Powered by GitBook
On this page
  • File Permissions
  • User Permissions
  • Group Permissions
  • Share Permissions
  • Sysinternals

Was this helpful?

  1. Windows
  2. System Ops
  3. Security
  4. Permissions

Enumerate

File Permissions

icacls <FilePath>

Displays or modifies DACLs on specified files (CMD).

cacls <FilePathOrDirectory>

(Deprecated) Displays the ACL for files and directories.

Get-Acl -Path <FilePathOrDirectory>

Gets the ACL for a specific file or directory.

Displays a detailed list of ACL entries for a specific file or directory:

Get-Acl -Path <FilePathOrDirectory> | Format-List

Lists access rules for a file or directory:

Get-Acl -Path <FilePathOrDirectory> | Select-Object -ExpandProperty Access

Retrieves the ACL for all files and directories within a specified path recursively:

Get-ChildItem -Path <DirectoryPath> -Recurse | Get-Acl

Retrieves file names, paths, and access masks (numeric representation of permissions):

wmic datafile where (Path='<path>\<filename>') get Name, FileName, AccessMask

Displays permissions in a more concise format, listing each user or group and their corresponding permissions:

Get-Acl -Path <path>\<filename> | Select-Object -ExpandProperty Access | ForEach-Object {$_.IdentityReference; $_.FileSystemRights}

Leverages the AccessToString() method to directly convert access masks to human-readable permission strings.

Get-Acl -Path <path>\<filename> | Select-Object -ExpandProperty Access | ForEach-Object { $_.IdentityReference; $_.FileSystemRights.ToString() }

Understanding access masks:

Numeric values represent permissions (e.g., 2032127 = Full Control).

Use PowerShell's Get-Acl and AccessToString methods to convert them to human-readable format.

Filtering by permission level:

Use PowerShell's Where-Object cmdlet to filter based on access mask values or specific permissions.

Tools for advanced analysis:

Consider tools like AccessEnum or NTFS Permissions Reporter for detailed permission analysis and reporting.

User Permissions

whoami /priv

Displays current user privileges.

net user <username>

Displays basic information about a user.

Get-LocalUser

Retrieves local user accounts.

Get-LocalGroupMember <GroupName>

Retrieves members of a local group.

icacls <file_or_folder>

Displays user permissions for a file or folder.

Get-ADUser -Filter * -Properties *

Retrieves user accounts from Active Directory.

Get-ADGroupMember <GroupName>

Retrieves members of an Active Directory group.

Retrieves information about a specific user:

Get-WmiObject -Class Win32_UserAccount | Where-Object {$_.Name -eq "<username>"} | Select-Object Name, FullName, Description

Group Permissions

Get-LocalGroup

Retrieves local groups on a computer.

Get-ADGroup -Filter * -Properties *

Retrieves groups from Active Directory (requires AD module).

Get-LocalGroupMember <GroupName>

Retrieves members of a local group.

Get-ADGroupMember <GroupName>

Retrieves members of an Active Directory group (requires AD).

net localgroup <group_name>

Lists members of a local group without detailed permissions.

icacls <file_or_folder>

Displays permissions for a file or folder, including groups.

whoami /groups

Shows the groups to which the current user belongs.

Share Permissions

Get-WmiObject Win32_LogicalShareSecuritySetting `| Retrieves share permissions (PowerShell).

Enumerates user permissions on a network share:

Get-CimInstance -ClassName Win32_LogicalShareSecuritySetting | Where-Object {$_.Name -eq "<share_name>"} | Get-CimAssociatedInstance -ResultClassName Win32_Ace | Select-Object Principal, AccessMask

Sysinternals

accesschk

Shows file/dir permissions for the user.

PreviousPermissionsNextPage

Last updated 1 year ago

Was this helpful?

🪟