Friday, November 8, 2019

Viewing file activity on a Remote fileshare without permissions

At Ignite 2019 in Orlando I demonstrated how you can view file activity on a remote share with no permissions. This demo is made against a "Home folder share" which normally allows only very limited rights to the shares root, and then NO PERMISSIONS for anything under it. By Microsoft's opinion this is not a problem and not a security issue because I can't see the content of the files but only the file names. I don't agree at all as the file names, and all metadata what so ever, are in my opinion "data" as well. The weakness is deep inside the filesystem and you can abuse it with different languages. I will use PowerShell.

Does this mean that I can read other peoples email as long as I only read the Subject?

What you need is very simple. Start by downloading this PS Module from this article here: https://mcpmag.com/articles/2015/09/24/changes-to-a-folder-using-powershell.aspx

Then load the module, and allow it to run - depending on your environment you might need Set-Executionpolicy first.

Run Start-FileSystemWatcher -Path "\\server\yourhomeshare" -Recurse

Now you can see all file activity, even if you don't have permissions to do so ;)

Cheers from Orlando,

Sami

PS. A lot of credit on helping me to find this has to go to Mr. "T" from Finland.