From 3567cf6fc0ae5846ce4f49e779c7c1633c174ae0 Mon Sep 17 00:00:00 2001
From: g0t mi1k <have.you.g0tmi1k@gmail.com>
Date: Wed, 22 Jul 2020 16:05:54 +0100
Subject: [PATCH] Writable locations Windows

Source: https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md

accesschk -w -s -q -u Users "C:\Program Files" >> programfiles.txt
accesschk -w -s -q -u Everyone "C:\Program Files" >> programfiles.txt
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files" >> programfiles.txt
accesschk -w -s -q -u Interactive "C:\Program Files" >> programfiles.txt

accesschk -w -s -q -u Users "C:\Program Files (x86)" >> programfilesx86.txt
accesschk -w -s -q -u Everyone "C:\Program Files (x86)" >> programfilesx86.txt
accesschk -w -s -q -u "Authenticated Users" "C:\Program Files (x86)" >> programfilesx86.txt
accesschk -w -s -q -u Interactive "C:\Program Files (x86)" >> programfilesx86.txt

accesschk -w -s -q -u Users "C:\Windows" >> windows.txt
accesschk -w -s -q -u Everyone "C:\Windows" >> windows.txt
accesschk -w -s -q -u "Authenticated Users" "C:\Windows" >> windows.txt
accesschk -w -s -q -u Interactive "C:\Windows" >> windows.txt
---
 .../File-System/windows-writable-locations.txt    | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 Discovery/File-System/windows-writable-locations.txt

diff --git a/Discovery/File-System/windows-writable-locations.txt b/Discovery/File-System/windows-writable-locations.txt
new file mode 100644
index 00000000..a8652690
--- /dev/null
+++ b/Discovery/File-System/windows-writable-locations.txt
@@ -0,0 +1,15 @@
+C:\Windows\Tasks
+C:\Windows\Temp
+C:\windows\tracing
+C:\Windows\Registration\CRMLog
+C:\Windows\System32\FxsTmp
+C:\Windows\System32\com\dmp
+C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
+C:\Windows\System32\spool\PRINTERS
+C:\Windows\System32\spool\SERVERS
+C:\Windows\System32\spool\drivers\color
+C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
+C:\Windows\SysWOW64\FxsTmp
+C:\Windows\SysWOW64\com\dmp
+C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
+C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System