Techniques
Sample rules
Windows File and Directory Permissions Enable Inheritance
- source: splunk
- technicques:
- T1222.001
Description
The following analytic detects the enabling of permission inheritance using ICACLS. This analytic identifies instances where ICACLS commands are used to enable permission inheritance on files or directories. The /inheritance:e flag, which restores inherited permissions from a parent directory, is monitored to detect changes that might reapply broader access control settings. Enabling inheritance can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process = "*/inheritance:e*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_file_and_directory_permissions_enable_inheritance_filter`
Windows File and Directory Permissions Remove Inheritance
- source: splunk
- technicques:
- T1222.001
Description
The following analytic detects the removal of permission inheritance using ICACLS. This analytic identifies instances where ICACLS is used to remove permission inheritance from files or directories. The /inheritance:r flag, which strips inherited permissions while optionally preserving or altering explicit permissions, is monitored to detect changes that may restrict access or establish isolated permission configurations. Removing inheritance can be a legitimate administrative action but may also indicate an attempt to conceal malicious activity or bypass inherited security controls.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process = "*/inheritance:r*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_file_and_directory_permissions_remove_inheritance_filter`
Excessive Usage Of Cacls App
- source: splunk
- technicques:
- T1222
Description
The following analytic identifies excessive usage of cacls.exe, xcacls.exe, or icacls.exe to change file or folder permissions. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to restrict access to malware components or artifacts on a compromised system. If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m
| where count >=10
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `excessive_usage_of_cacls_app_filter`
Windows File and Directory Enable ReadOnly Permissions
- source: splunk
- technicques:
- T1222.001
Description
The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") AND Processes.process IN ("*SYSTEM*", "*admin*", "*S-1-1-0*", "*EVERYONE*") by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_guid Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| rex field=process ":\\((?<permission>[^)]+)\\)"
| eval has_read_attribute=if(match(permission, "R"), "true", "false")
| eval has_write_execute=if(match(permission, "(W
|GA
|X
|M
|F
|AD
|DC
|DE)"), "true", "false")
| where has_write_execute="false" and has_read_attribute = "true"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_file_and_directory_enable_readonly_permissions_filter`