administrators or administrative scripts may use this application. filter as needed.

Techniques

Sample rules

Windows File and Directory Enable ReadOnly Permissions

source: splunk
technicques:
- T1222.001

Description

The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") AND Processes.process IN ("*SYSTEM*", "*admin*", "*S-1-1-0*", "*EVERYONE*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
| `drop_dm_object_name(Processes)` 
| rex field=process ":\\((?<permission>[^)]+)\\)" 
| eval has_read_attribute=if(match(permission, "R"), "true", "false") 
| eval has_write_execute=if(match(permission, "(W
|GA
|X
|M
|F
|AD
|DC
|DE)"), "true", "false") 
| where has_write_execute="false" and has_read_attribute = "true" 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_file_and_directory_enable_readonly_permissions_filter`

Windows File and Directory Permissions Enable Inheritance

source: splunk
technicques:
- T1222.001

Description

The following analytic detects the enabling of permission inheritance using ICACLS. This analytic identifies instances where ICACLS commands are used to enable permission inheritance on files or directories. The /inheritance:e flag, which restores inherited permissions from a parent directory, is monitored to detect changes that might reapply broader access control settings. Enabling inheritance can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe")
    AND
    Processes.process = "*/inheritance:e*"
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_file_and_directory_permissions_enable_inheritance_filter`

Excessive Usage Of Cacls App

source: splunk
technicques:
- T1222

Description

The following analytic identifies excessive usage of cacls.exe, xcacls.exe, or icacls.exe to change file or folder permissions. It looks for 10 or more execution of the aforementioned processes in the span of 1 minute. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to restrict access to malware components or artifacts on a compromised system. If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities.

Detection logic


| tstats `security_content_summariesonly`
  min(_time) as firstTime
  max(_time) as lastTime
  values(Processes.dest) as dest
  values(Processes.user) as user
  values(Processes.action) as action
  values(Processes.original_file_name) as original_file_name
  values(Processes.parent_process_exec) as parent_process_exec
  values(Processes.parent_process_guid) as parent_process_guid
  values(Processes.parent_process_id) as parent_process_id
  values(Processes.parent_process_path) as parent_process_path
  values(Processes.process) as process
  values(Processes.process_exec) as process_exec
  values(Processes.process_guid) as process_guid
  values(Processes.process_hash) as process_hash
  values(Processes.process_id) as process_id
  values(Processes.process_integrity_level) as process_integrity_level
  values(Processes.process_name) as process_name
  values(Processes.process_path) as process_path
  values(Processes.user_id) as user_id
  values(Processes.vendor_product) as vendor_product count
from datamodel=Endpoint.Processes where
Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe")
by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m

| where count >=10

| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `excessive_usage_of_cacls_app_filter`

Windows File and Directory Permissions Remove Inheritance

source: splunk
technicques:
- T1222.001

Description

The following analytic detects the removal of permission inheritance using ICACLS. This analytic identifies instances where ICACLS is used to remove permission inheritance from files or directories. The /inheritance:r flag, which strips inherited permissions while optionally preserving or altering explicit permissions, is monitored to detect changes that may restrict access or establish isolated permission configurations. Removing inheritance can be a legitimate administrative action but may also indicate an attempt to conceal malicious activity or bypass inherited security controls.

Detection logic


| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe")
    AND
    Processes.process = "*/inheritance:r*"
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_file_and_directory_permissions_remove_inheritance_filter`