Service binary permissions false positive

Question

Service binary permissions false positive

itm4n opened this issue 10 months ago · 1 comments

Under specific conditions, the function Invoke-ServicesImagePermissionsCheck incorrectly reports some service binary permissions as vulnerable.

Below is an example when the script is executed while the current directory is C:\Users\USERNAME. It identifies Desktop as a token to check, finds that the path C:\Users\USERNAME\Desktop exists, and is writable. Therefore, it reports the service as vulnerable.

Name              : SomeService
ImagePath         : "C:\Program Files\SomeProgram\Foo Desktop Bar\SomeExecutable.exe"
User              : LocalSystem
ModifiablePath    : C:\Users\USERNAME\Desktop
IdentityReference : COMPUTER\USERNAME
Permissions       : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ListDirectory, AddSubdirectory, 
                    WriteExtendedAttributes, WriteDAC, ReadAttributes, AddFile, ReadExtendedAttributes, DeleteChild, 
                    Traverse
Status            : Stopped
UserCanStart      : False
UserCanStop       : False