Incident Response

Hello All. So unless you have been hiding under a rock somewhere, you probably have heard about about the SolarWinds breach and further compromise of the integrity of their software and update facility.

I am not going to get to far into the backstory of the breach as their have been so many deep dive explanations of this including some great posts on the mechanics of the malware:

I will however provide a VERY brief and quick synopsis:

  • SolarWinds Orion Supply chain Attack – AKA SUNBURST or Solorigate perpetrated most probably by a Russian government sponsored group known as UNC2452 (FireEye), Dark Halo (Volexity), SolarStorm (Palo Alto) or APT29/Cozy Bear.
  • 18,000 initial customers have the malicious update installed (this may not necessarily mean all of those organizations have actually been breached).
  • A patch (hotfix) was made available by SolarWinds on December 15.
  • The malicious binaries are detected and removed by Microsoft Defender since December 16.
  • The main C2 infrastructure domain has been seized and sinkholed by Microsoft and the security industry and is now being used as a Killswitch for the malware.
  • In addition to the SolarWinds flaw, there may have been additional initial access vectors. This is still being investigated.
  • Palo Alto identified a second backdoor used in some cases, which may indicate a second attacker.
  • From SolarWinds’ own advisory, which was last updated on 24 December: SolarWinds Orion Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are vulnerable. Log into the SolarWinds customer portal to download hotfix release 2020.2.1 HF 2.

Also a great diagram from Microsoft describing the attack:

So what is the fallout thus far? Is this survivable for SolarWinds? 

A number of very large fortune companies as well as governments have been affected including Cisco, Intel, Deloitte, Nvidia, VMware as well as many governments including that of the US. This was such a big breach that it triggered a Whitehouse National Security Council meeting on Dec 13. Now other companies have survived these types of breaches in the past. Not nearly as notable, but companies like Zoom has seen their share of issues and most recently FireEye, an infosec company known for assisting organizations with nation state breaches (Mandiant) was breached by a nation state. Both are still going strong. So I guess time will tell. Much like Zoom’s purchase of Keybase to show how critical security was to the company, SolarWinds (although they have security products), should take a break from product company acquisitions and make a strategic buy of a known company in the security space to improve its security and as a byproduct improve its image.

I mean their stock has certainly taken a beating, selling for $22.88 USD on Nov 30 and now selling for $14.89 USD. It looks like the stock has flatlined, however, we are in the middle of a holiday stretch. The interesting details related to the stock is the dramatic drop on Dec 11 which coincides with the public announcement of the breach following breach investigation where FireEye discovers that SolarWinds Orion updates had been corrupted and weaponized by hackers. Now the interesting bit is on Wednesday, December 9, 2020 a CEO transition plan and stock transactions were announced – two days before SolarWinds apparently knew about the breach. This includes:

  • SolarWinds CEO Transition: The company discloses Sudhakar Ramakrishna will succeed Kevin Thompson as SolarWinds president and CEO, effective January 4, 2021. The CEO announcement is made before FireEye apparently alerts SolarWinds about the breach two days later on December 11.
  • SolarWinds Stock Transactions: On the financial front, Canada Pension Plan Investment Board (CPP Investments) has made a $315 million secondary investment in SolarWinds. The deal involves CPP buying an existing stake from private equity firms Silver Lake and Thoma Bravo, and their respective co-investors. The transaction disclosure is made before FireEye apparently alerts SolarWinds about the breach two days later on December 11.

Furthermore, SolarWinds investors traded $280 million in stock days before hack was revealed. Don’t forget another important tidbit in the timeline – on Dec 8, FireEye discloses that state-sponsored hackers broke into FireEye’s network and stole the company’s Red Team penetration testing tools – same people that were investigating the breach at SolarWinds…thankfully the breach on FireEye, identified the malicious lines of code in Orion. I assume the SEC is already knee-deep in investigating this.

Read more

Hello All. I am working on a project where I have to enumerate a Windows fileserver and provide details on NTFS permissions and ownership of directories and files. I wanted to provide some thoughts on some of the tools and scripts out there to do this and how well they work.

I am specifically referring here to file/directory permissions (referred to as “Security” in the example below) and not share permissions, these are two totally different things. I will cover share permissions in a follow-up post.

So essentially, unless you want to spend a bunch of money on a commercial tool from someone like Quest Software’s Security Explorer or Varonis’ DataPrivilege Platform. Some things you want to consider when doing this: 1. The time it takes to run this. If you have a huge filesystem, this could take a while. 2. Memory is the other thing.


Enumerating NTFS permissions can be performed using the PowerShell Get-Acl cmdlet to return permissions on objects like files, folders, and registry keys. The example below gets the permissions set on the C:\Program Files folder and all the available properties.

(Get-Acl -Path “C:\Program Files”).Access

Get-Acl is unable to recursively return all the permissions of folders in the directory tree. So, if you want to enumerate all the permissions on all folders in a directory tree, you need to use the Get-ChildItem cmdlet with the -Recurse parameter to list all the folders in the tree and then pass the results to Get-Acl using a ForEach loop.

Here is a quick script – you will still need to update the PS1 to include the path you want to enumerate:

$FolderPath = Get-ChildItem -Directory -Path “C:\Program Files” -Recurse -Force
$Output = @()
ForEach ($Folder in $FolderPath) {
$Acl = Get-Acl -Path $Folder.FullName
ForEach ($Access in $Acl.Access) {
$Properties = [ordered]@{‘Folder Name’=$Folder.FullName;’Group/User’=$Access.IdentityReference;’Permissions’=$Access.FileSystemRights;’Inherited’=$Access.IsInherited}
$Output += New-Object -TypeName PSObject -Property $Properties
$Output | Out-GridView

This will output a nice looking, grid view of the NTFS permissions:

If you would rather get a spiffy CSV file, the simply replace the last line of the script with: $Output | Export-Csv -Path .\enum.csv

This will create a file called enum.csv:

Ok, one thing to note, you may notice some of the permissions comes back as numerical and not the typical “Full Control” for example.

As per Cjwdev ( who explains it better than I could. There is a FileSystemRights Enum defined that seems to contain every possible permission that a file/directory can have and calling AccessRule.FileSystemRights returns a combination of these values. However, you may come across some permissions where the value in this property does not match any of the values in the FileSystemRights Enum.

The end result of this is that for some files/directories you simply cannot determine which permissions are assigned to them. If you do AccessRule.FileSystemRights.ToString then for these values all you see is a number rather than a description (e.g Modify, Delete, FullControl etc). Common numbers you may see are: -1610612736, –536805376, and 268435456

To figure out what these permissions actually are, you need to look at which bits are set when you treat that number as 32 separate bits rather than as an Integer (as Integers are 32 bits long), and compare them to this diagram:

So for example, -1610612736 has the first bit and the third bit set, which means it is GENERIC_READ combined with GENERIC_EXECUTE. So now you can convert these generic permissions into the specific file system permissions that they correspond to.

You can see which permissions each generic permission maps to here: Just be aware that STANDARD_RIGHTS_READ, STANDARD_RIGHTS_EXECUTE and STANDARD_RIGHTS_WRITE are all the same thing and actually all equal the FileSystemRights.ReadPermissions value.

Free Tools

Now, if PowerShell isn’t your thing, and you just want to run a tool, well there are a few free ones out there. Here are the options I recommend. Don’t be fooled but some of the stuff you find on the Internet. Make sure what you download is reputable, as you will be running it on potentially a very important and maybe sensitive server file system. I also tend to stay away from those “Free Versions” of software or trials. They also may require you install a whole bunch of crap to get them to run (i.e. SQL Server, .NET, etc.). If I want to go this route, well see above about Quest and Varonis.

Sysinternals AccessEnum – OK, let’s face it Mark Russinovich and his crew are gods when it comes to Windows internals. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you find security holes and lock down permissions where necessary.

Run AccessEnum against a top-level folder in a folder tree, the tool scans the files and folders beneath and reports back where permissions are different from the parent. You get something like this as an output:

There is a save button at the bottom, so you can move all this data to CSV and Excel. The other thing to be aware of is what this tool will provide from an information perspective:

Sysinternals AccessChk – As a part of ensuring that they’ve created a secure environment Windows administrators often need to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. AccessChk quickly answers these questions with an intuitive interface and output.

To see all files under c:\, simply use the following command:

accesschk c:\

This will produce the following output:

If you add the -s flag, this will allow the tool to pull permissions recursively (i.e. accesschk -s c:\)

Now the good thing is given this is a command line tool, you can do a quick redirect stdout to a .txt file and you have an external file to play with. Only issue is you may need to do a bit of Excel magic as the output is not in a delineated format like CSV.

Finally, a runner up would go to CJWDEV’s NTFS Permissions Reporter. CJWDEV is who I referred to earlier in this post. This tool is one of those “free” versions of software. It displays group users with either direct or nested access for an entire file system directory. The report can be generated in either a tree or table format with color-coded access levels.  Here it is in action:

Read more