 I'm going to show you now how that you can in a restricted environment find files that you are allowed to write to and for example it would be interesting to find executables that you are allowed to write to Now imagine that you're in a restricted environment where you cannot execute an arbitrary program so you cannot bring in a program like accessNM from CIS internals to see what you are doing what accesses you have So what I did was develop a DLL findWriteable files which looks for files that a certain user can write to by using the Windows API and I'm going to inject that DLL into Excel and run it from Excel so that I bypass any restrictions on applications that might execute So imagine that I'm first on my system that I want to prepare So I run my file container, this is something I've already shown in videos, but here there's a small change to it Now you can not only save files but you can also inject files into the memory of Excel So we are going to prepare our audit So I load the findWriteable files DLL into the spreadsheet like this So it is now created in this sheet with the name and you can see here 4D5A which is MZ and the start of a PE file And now I'm going to save this findWriteableFiles like this So imagine now that I go to the system that I want to audit like this So on this system I only have my command shell and findWriteableFiles to spreadsheets So first I open this one and I run a command And then I open my writeable files and I inject this DLL into memory So that's the address A17000 so let's go to the command and say DLL from address A17000 Okay, so this is my DLL. So my DLL takes 3 arguments You have to give it the directory that you want to scan You have to give it the account name for which you want to check access for And then a file that will contain the results And these 3 arguments have to be written stored inside environment variables So FWFdir, FWFact and FWFlog those are the 3 environment variables That we have to create for the DLL to know its arguments So let me create the environment variable for the directory you want to scan And we are going to scan program files like this And then the account I want to know what I can do So I'm test user on this system so set FWFact equals W701 test user And then I want a log file that contains the results So result.xt like this And then we can load the DLL again like this Okay, and now it is scanning program files to see what accesses that I have Okay, so the scan is terminated Let's take a look So we have a result file now and if we look into the result file I can see that my owner, my user, so test user here in this folder on this system Has full control over this file which is actually the word executable So the Microsoft word executable I have full control over this executable So I can change it and by that have other people run an executable that I chose