LoFP LoFP / administrators or administrative scripts may use this application. filter as needed.

Techniques

Sample rules

Excessive Usage Of Cacls App

Description

The following analytic identifies excessive usage of cacls.exe, xcacls.exe, or icacls.exe to change file or folder permissions. It looks for 10 or more execution of the aforementioned processes in the span of 1 minute. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to restrict access to malware components or artifacts on a compromised system. If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities.

Detection logic


| tstats `security_content_summariesonly` 
  min(_time) as firstTime 
  max(_time) as lastTime 
  values(Processes.dest) as dest
  values(Processes.user) as user 
  values(Processes.action) as action 
  values(Processes.original_file_name) as original_file_name 
  values(Processes.parent_process_exec) as parent_process_exec 
  values(Processes.parent_process_guid) as parent_process_guid
  values(Processes.parent_process_id) as parent_process_id 
  values(Processes.parent_process_path) as parent_process_path 
  values(Processes.process) as process 
  values(Processes.process_exec) as process_exec 
  values(Processes.process_guid) as process_guid 
  values(Processes.process_hash) as process_hash 
  values(Processes.process_id) as process_id 
  values(Processes.process_integrity_level) as process_integrity_level 
  values(Processes.process_name) as process_name 
  values(Processes.process_path) as process_path 
  values(Processes.user_id) as user_id 
  values(Processes.vendor_product) as vendor_product count 
from datamodel=Endpoint.Processes where 
Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") 
by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m 

| where count >=10 

| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)` 

| `excessive_usage_of_cacls_app_filter`

Windows File and Directory Permissions Remove Inheritance

Description

The following analytic detects the removal of permission inheritance using ICACLS. This analytic identifies instances where ICACLS is used to remove permission inheritance from files or directories. The /inheritance:r flag, which strips inherited permissions while optionally preserving or altering explicit permissions, is monitored to detect changes that may restrict access or establish isolated permission configurations. Removing inheritance can be a legitimate administrative action but may also indicate an attempt to conceal malicious activity or bypass inherited security controls.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe")  AND Processes.process = "*/inheritance:r*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_file_and_directory_permissions_remove_inheritance_filter`

Windows File and Directory Enable ReadOnly Permissions

Description

The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") AND Processes.process IN ("*SYSTEM*", "*admin*", "*S-1-1-0*", "*EVERYONE*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| rex field=process ":\\((?<permission>[^)]+)\\)" 
| eval has_read_attribute=if(match(permission, "R"), "true", "false") 
| eval has_write_execute=if(match(permission, "(W
|GA
|X
|M
|F
|AD
|DC
|DE)"), "true", "false") 
| where has_write_execute="false" and has_read_attribute = "true" 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_file_and_directory_enable_readonly_permissions_filter`

Windows File and Directory Permissions Enable Inheritance

Description

The following analytic detects the enabling of permission inheritance using ICACLS. This analytic identifies instances where ICACLS commands are used to enable permission inheritance on files or directories. The /inheritance:e flag, which restores inherited permissions from a parent directory, is monitored to detect changes that might reapply broader access control settings. Enabling inheritance can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process = "*/inheritance:e*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_file_and_directory_permissions_enable_inheritance_filter`