Skip to content
/ Get-ModifiablePathFromProcmon Public

A simple PowerShell function parsing a Procmon CSV output to extract accessed filesystem and registry paths and using @itm4n's PrivescCheck's functions `Get-ModifiablePath` and `Get-ModifiableRegistryPath` to find paths modifiable by the user.

License

BSD-3-Clause license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

SAERXCIT/Get-ModifiablePathFromProcmon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
Get-ModifiablePathFromProcmon.ps1
Get-ModifiablePathFromProcmon.ps1
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Get-ModifiablePathFromProcmon

A simple PowerShell function parsing a Procmon CSV output to extract accessed filesystem and registry paths and using @itm4n's PrivescCheck's functions Get-ModifiablePath and Get-ModifiableRegistryPath to find paths modifiable by the user.

This is useful to find if a program performs privileged operations on user-writable files/directories or registry paths (the flag -IgnoreImpersonate can be passed to prevent false positives).

Usage

From a PowerShell prompt:

PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force
PS C:\Temp\> Import-Module .\PrivescCheck.ps1
PS C:\Temp\> Import-Module .\Get-ModifiablePathFromProcmon.ps1
PS C:\Temp\> Get-ModifiablePathFromProcmon -CSVPath "C:\PathTo\Logfile.CSV" [-IgnoreImpersonate]

About

A simple PowerShell function parsing a Procmon CSV output to extract accessed filesystem and registry paths and using @itm4n's PrivescCheck's functions `Get-ModifiablePath` and `Get-ModifiableRegistryPath` to find paths modifiable by the user.

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages