For this Lab you’ll need a Windows VM. (Any Windows VM will do!)
In this Lab, you’ll be asked to search through c:\Windows\system32 to find the file that is owned by one of the users on the system.
Let’s start by using the get-childitem cmdlet. Open powershell as administrator and type
get-childitem
This cmdlet will return a series of objects, just like any other cmdlet. Each one of these objects is a file in the System32 directory. Note: This is only returns the files in c:\Windows\System32. get-childitem is not showing us files in the many sub-directories that exist here. In order to do that we’d have to type:
get-childitem -recurse -Path "c:\\Windows\\System32"
Let’s examine each file object’s members then:
get-childitem | gm
There will be two sections there because get-childitem is returning both files and directories. The second section contains a list of members we can act on for each file object return. (See the first arrow at the top of the graphic.) Although properties like LastAccessTime and LastWriteTime would certainly be of interest to a cybersecurity analyst, we’ll just look at ‘FullName’ for now.
get-childitem | select fullname
For this lab, we’ll be interested in examining the Access Control Lists (ACL) for each file. We can pipe the output of Get-ChildItem to Get-ACL like this:
get-ChildItem | Get-Acl
If you look at the Owner column you can see that the files in c:\Windows\System32 are primarily owned by:
- NT SERVICE\TrustedInstaller
- NT AUTHORITY\SYSTEM
- Builtin\Administrator