Default Writeable Folders
1. System and Temporary Directories
1.1 C:\Windows\Temp
Description: Temporary storage for system files, application installers, and other transient data.
Security Consideration: Accessible by all users; monitor for suspicious files to prevent misuse by malicious programs.
1.2 C:\Users\Public
Description: Shared folder accessible to all users on the system.
Security Consideration: Avoid storing sensitive data here, as it can be accessed or modified by any user.
2. Spool and Printing Directories
2.1 C:\Windows\System32\spool\drivers\color
Description: Holds color profiles for printers.
Security Consideration: Targeted for persistence mechanisms in certain attacks. Regularly check for unauthorized files.
2.2 C:\Windows\System32\spool\printers
Description: Stores files in the print queue awaiting printing.
Security Consideration: Monitor for unusual files, as misuse of the print spooler can lead to privilege escalation.
2.3 C:\Windows\System32\spool\servers
Description: Contains spooler server files.
Security Consideration: Ensure permissions are properly managed to prevent exploitation.
3. Machine-Specific Keys and Debugging Directories
3.1 C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
Description: Stores cryptographic keys used by the system and applications.
Security Consideration: Monitor for unauthorized changes or new files, as this directory may be targeted for credential theft.
3.2 C:\Windows\debug\wia
Description: Holds debugging files for Windows Image Acquisition.
Security Consideration: Though less targeted, it may be used by attackers to place files with elevated permissions.
4. Task and Scheduled Job Directories
4.1 C:\Windows\Tasks
Description: Contains scheduled tasks and job files.
Security Consideration: Monitor for unauthorized modifications or additions, as attackers often exploit this directory for persistence.
4.2 C:\Windows\System32\tasks / C:\Windows\SysWOW64\tasks
Description: Stores scheduled tasks managed by the Task Scheduler.
Security Consideration: Unauthorized access may indicate attempts to establish persistence or execute tasks with elevated privileges.
5. Tracing and Registration Directories
5.1 C:\Windows\tracing
Description: Used for network and application tracing.
Security Consideration: Check for unexpected files, as attackers may hide logs or sensitive data here.
5.2 C:\Windows\registration\crmlog
Description: Contains registration logs.
Security Consideration: Rarely targeted but should be monitored for unauthorized files.
6. Communication and Dump Directories
6.1 C:\Windows\System32\com\dmp / C:\Windows\SysWOW64\com\dmp
Description: Stores dump files related to the Component Object Model (COM).
Security Consideration: Monitor for unusual files, as this can indicate misuse.
7. Fax Directories
7.1 C:\Windows\System32\fxstmp / C:\Windows\SysWOW64\fxstmp
Description: Temporary storage for fax data.
Security Consideration: Attackers may target this location for persistence or data exfiltration.
Additional Network Enumeration Commands
ARP Table
Command:
Description: Displays the ARP table, mapping IP addresses to MAC addresses.
Output: Shows IP-to-MAC mappings on the local network.
Network Neighbors (PowerShell)
Command:
Description: Lists network neighbors with IPv4 addresses, showing interface index, IP address, MAC address, and connection state.
Output: A structured table of network neighbor details.
References
Windows Security Documentation: Microsoft Security and Management
PowerShell Networking Documentation: Get-NetNeighbor Cmdlet
Last updated