Enumerate

File Permissions

icacls <FilePath>

Displays or modifies DACLs on specified files (CMD).

cacls <FilePathOrDirectory>

(Deprecated) Displays the ACL for files and directories.

Get-Acl -Path <FilePathOrDirectory>

Gets the ACL for a specific file or directory.

Displays a detailed list of ACL entries for a specific file or directory:

Get-Acl -Path <FilePathOrDirectory> | Format-List

Lists access rules for a file or directory:

Get-Acl -Path <FilePathOrDirectory> | Select-Object -ExpandProperty Access

Retrieves the ACL for all files and directories within a specified path recursively:

Get-ChildItem -Path <DirectoryPath> -Recurse | Get-Acl

Retrieves file names, paths, and access masks (numeric representation of permissions):

wmic datafile where (Path='<path>\<filename>') get Name, FileName, AccessMask

Displays permissions in a more concise format, listing each user or group and their corresponding permissions:

Get-Acl -Path <path>\<filename> | Select-Object -ExpandProperty Access | ForEach-Object {$_.IdentityReference; $_.FileSystemRights}

Leverages the AccessToString() method to directly convert access masks to human-readable permission strings.

Get-Acl -Path <path>\<filename> | Select-Object -ExpandProperty Access | ForEach-Object { $_.IdentityReference; $_.FileSystemRights.ToString() }

Understanding access masks:

Numeric values represent permissions (e.g., 2032127 = Full Control).

Use PowerShell's Get-Acl and AccessToString methods to convert them to human-readable format.

Filtering by permission level:

Use PowerShell's Where-Object cmdlet to filter based on access mask values or specific permissions.

Tools for advanced analysis:

Consider tools like AccessEnum or NTFS Permissions Reporter for detailed permission analysis and reporting.

User Permissions

whoami /priv

Displays current user privileges.

net user <username>

Displays basic information about a user.

Get-LocalUser

Retrieves local user accounts.

Get-LocalGroupMember <GroupName>

Retrieves members of a local group.

icacls <file_or_folder>

Displays user permissions for a file or folder.

Get-ADUser -Filter * -Properties *

Retrieves user accounts from Active Directory.

Get-ADGroupMember <GroupName>

Retrieves members of an Active Directory group.

Retrieves information about a specific user:

Get-WmiObject -Class Win32_UserAccount | Where-Object {$_.Name -eq "<username>"} | Select-Object Name, FullName, Description

Group Permissions

Get-LocalGroup

Retrieves local groups on a computer.

Get-ADGroup -Filter * -Properties *

Retrieves groups from Active Directory (requires AD module).

Get-LocalGroupMember <GroupName>

Retrieves members of a local group.

Get-ADGroupMember <GroupName>

Retrieves members of an Active Directory group (requires AD).

net localgroup <group_name>

Lists members of a local group without detailed permissions.

icacls <file_or_folder>

Displays permissions for a file or folder, including groups.

whoami /groups

Shows the groups to which the current user belongs.

Get-WmiObject Win32_LogicalShareSecuritySetting `| Retrieves share permissions (PowerShell).

Enumerates user permissions on a network share:

Get-CimInstance -ClassName Win32_LogicalShareSecuritySetting | Where-Object {$_.Name -eq "<share_name>"} | Get-CimAssociatedInstance -ResultClassName Win32_Ace | Select-Object Principal, AccessMask

Sysinternals

accesschk

Shows file/dir permissions for the user.

PreviousPermissions NextPage

Last updated 1 year ago

hashtagFile Permissions

hashtagUnderstanding access masks:

hashtagUser Permissions

hashtagGroup Permissions

hashtagShare Permissions

hashtagSysinternals

File Permissions

Understanding access masks:

User Permissions

Group Permissions

Share Permissions

Sysinternals