none
Powershell: find folders and files modified by certain user RRS feed

  • Question

  • We've recently had a user tricked into installing a remote tool (e.g., LogMeIn) in his laptop. After reformatting his laptop, and recreating his roaming profile, we're still concerned that the attacker might have copied over dangerous files in the file servers.  I wanted to create a PowerShell script to search for new/modified folders and files from a list of servers (or maybe even browse the network...) by one particular user name (read-host enter UPN or Logon?). Anyone have something like this?

    Additionally, any other suggestions would be greatly appreciated.  I think we'll be setting up auditing policies, and training our users more about phishing/social engineering attacks like this.

    Wednesday, November 25, 2015 11:27 PM

Answers

  • The user was a local Admin of his computer. That computer is now reformatted, and his privileges have been limited.  I agree that LogMeIn is not a security risk.  That wasn't what I meant though.  I was looking for a script that would help me find out what permissions the user has on the FILE SERVER.  I ended up using AccessEnum from SysInternals to help me out. 

    Friday, November 27, 2015 2:30 PM

All replies

  • Please read the following post from right at the top of this forum:

    This forum is for scripting questions rather than script requests


    -- Bill Stewart [Bill_Stewart]

    Wednesday, November 25, 2015 11:59 PM
    Moderator
  • Normal users cannot install anything.

    I suggest contacting LogMeIn for assistance with this.  They will be able to show you how to find all of the files.  This is not a scripting issue.

    LOgMeIn is NOT a security risk. The simple client only allows a user to log into a remote LogMeIn server.  THe local server component runs as a service and can only be installed by an administrator.


    \_(ツ)_/

    Thursday, November 26, 2015 12:01 AM
  • The user was a local Admin of his computer. That computer is now reformatted, and his privileges have been limited.  I agree that LogMeIn is not a security risk.  That wasn't what I meant though.  I was looking for a script that would help me find out what permissions the user has on the FILE SERVER.  I ended up using AccessEnum from SysInternals to help me out. 

    Friday, November 27, 2015 2:30 PM
  • I should also point out that AccessEnum helps, but it doesn't always report ALL the sub-folders either.  If the user that launches the utility doesn't have permission to the folder, it won't report it.  Still a decent utility though.

    Additionally, I can't find a way to see if a "user" actually modified a folder/file.  I could if I enable Auditing through Group Policy/Local Security, but if that wasn't enabled, then I can't...I guess this makes sense, but it would be nice...oh well, live and learn...

    Saturday, November 28, 2015 2:29 AM
  • I should also point out that AccessEnum helps, but it doesn't always report ALL the sub-folders either.  If the user that launches the utility doesn't have permission to the folder, it won't report it.  Still a decent utility though.

    Additionally, I can't find a way to see if a "user" actually modified a folder/file.  I could if I enable Auditing through Group Policy/Local Security, but if that wasn't enabled, then I can't...I guess this makes sense, but it would be nice...oh well, live and learn...

    There is no immediate mechanism in Windows that tracks file modifications.

    You can enable auditing and apply a SACL to a file or folder and allmods wil be recorded in the Event Security Log.

    Here is some background on how to do this: https://technet.microsoft.com/en-us/library/cc771070.aspx?f=255&MSPPError=-2147217396


    \_(ツ)_/

    Saturday, November 28, 2015 2:38 AM
  • I would add that this is a scripting questions forum, not a Windows security forum...

    -- Bill Stewart [Bill_Stewart]

    Sunday, November 29, 2015 2:57 AM
    Moderator