tiphaa.blogg.se - Latest sysinternals suite 2018

Now, depending on the relevant organisations configuration and appetite for inventory management, this may happen more or less than once per day. After doing further research into the folders, we concluded that these files were likely modified after a system or software inventory scan. When reviewing the timestamp on these folders, it appeared there was activity happening once a day within this folder. Get-ChildItem C:\ -Recurse -ErrorAction Silentl圜ontinue | ForEach-Object |Export-Csv C:\temp\acl.csv -NoTypeInformation An example of this one liner is as follows: These folder and file permissions were found using a simple PowerShell one liner which allowed us to perform an ACL review on any Windows host, using only the tools on that host. These folders seemed to contain fairly benign content, such as scan configuration files and XML files, from what we believed to be the inventory scan or output from a recent task. We noticed that folders within the Altiris file structure had the ‘Everyone – Full Control’ permission applied. The version that this was tested by Nettitude was version 7.6, as shown throughout this release, however it was confirmed by Symantec on 12 June 2018 that all versions prior to the patched version are affected by the same issue.

This software is an endpoint management framework that allows an organisation to centrally administer their estate to ensure the latest operating system patches are applied, to deliver software, to make configuration changes based on a user’s role or group, and to perform an inventory asset register across the entire estate. One example of endpoint management software we’ve often seen is Altiris by Symantec. This type of software is always of interest, as it could be a point of escalation on the host, or potentially across the environment. When performing red team engagements, it is common to come across different types of third party endpoint software installed on a host. This allows a low privilege user to elevate their privileges on any endpoint that has Symantec Management Agent v7.6, v8.0 or v8.1 RU7 installed. Thus, the ‘Everyone’ permission is placed on the junction folder, enforcing inheritance on each file or folder within this structure. The permissions applied grant the ‘Everyone’ group full control over both folders, allowing any standard user to create a junction to an alternative folder.

C:\Program Files\Altiris\Inventory\Outbox.

software inventory scan, the SYSTEM level service re-applies the permissions on both the NSI and Outbox folders after the scan is completed.

When the Altiris agent performs an inventory scan, e.g. During a recent red team exercise, we discovered a vulnerability within the latest versions of the Symantec Management Agent (Altiris), that allowed us to escalate our privileges.