Invoke-FindDLLHijack - Differentiate between System and current user's path

[leechristensen]

Currently, Invoke-FindDLLHijack does not differentiate between directories in the System path and directories in the current user's path. It'd be nice to be able to quickly determine if the hijack-able location is only in the current user's path since it affects whether or not the directory can be used for local privilege escalation.

[HarmJ0y]

There is a -ExcludeWindows flag as well as -ExcludeProgramFiles flag which will exclude all paths found from C:\Windows, C:\Program Files and C:\Program Files (x86)* . Are you thinking of a flag that filters just for the current user's directory path?

[leechristensen]

Not necessarily a filter, just a way to differentiate between writable directories in the current user's path(HKCU\Environment\PATH) and the system path(HKLM\System\ControlSet001\Control\Session Manager\Environment\Path?). Only writable directories in the SYSTEM path can be used for local privilege escalation, whereas writable directories in the current user's path can potentially be used for persistence or horizontal privilege escalation (but not local privilege escalation).

[HarmJ0y]

Cool, will check back into this shortly!