Techniques
Sample rules
Modify ACL permission To Files Or Folder
- source: splunk
- technicques:
- T1222
Description
The following analytic detects the modification of ACL permissions to files or folders, making them accessible to everyone or to system account. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes like “cacls.exe,” “icacls.exe,” and “xcacls.exe” with specific command-line arguments. This activity is significant as it may indicate an adversary attempting to evade ACLs or access protected files. If confirmed malicious, this could allow unauthorized access to sensitive data, potentially leading to data breaches or further system compromise.
Detection logic
| tstats `security_content_summariesonly` count
min(_time) as firstTime
max(_time) as lastTime
values(Processes.process) as process
values(Processes.process_id) as process_id
from datamodel=Endpoint.Processes where
Processes.process_name IN ("icacls.exe", "cacls.exe", "xcacls.exe")
Processes.process IN ("*/grant*", "*/g:*", "*/g *")
Processes.process IN ("* Everyone:*", "* SYSTEM:*", "* S-1-1-0:*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `modify_acl_permission_to_files_or_folder_filter`