Techniques
Sample rules
Windows File and Directory Permissions Enable Inheritance
- source: splunk
- technicques:
Description
The following analytic detects the enabling of permission inheritance using ICACLS. This analytic identifies instances where ICACLS commands are used to enable permission inheritance on files or directories. The /inheritance:e flag, which restores inherited permissions from a parent directory, is monitored to detect changes that might reapply broader access control settings. Enabling inheritance can indicate legitimate administrative actions but may also signal attempts to override restrictive custom permissions, potentially exposing sensitive files to unauthorized access.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe")
AND
Processes.process = "*/inheritance:e*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_file_and_directory_permissions_enable_inheritance_filter`
Windows FFmpeg DirectShow Video Capture
- source: splunk
- technicques:
Description
This analytic detects active video capture performed by FFmpeg (ffmpeg.exe) via the Windows DirectShow (dshow) interface, a technique observed in SalatStealer and related UAC-0252 campaigns. After enumerating available devices, threat actors invoke FFmpeg with a specific video capture command that references a named webcam device (video=), requests MJPEG encoding (mjpeg), and uses the dshow input filter — all from a temporary directory to reduce forensic footprint. This sequence moves beyond reconnaissance into active collection, aligning with MITRE ATT&CK T1125 (Video Capture), where adversaries silently record from the victim’s webcam to gather intelligence or capture sensitive on-screen activity. The presence of ffmpeg.exe in a temp path combined with these DirectShow video arguments is highly anomalous outside of dedicated multimedia or screen-recording software, making it a strong signal of covert surveillance activity.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
(
Processes.process_name = ffmpeg.exe OR
Processes.original_file_name = ffmpeg.exe
) AND
Processes.process_path IN ("*\\temp\\*") AND
Processes.process = "*video=*" AND
Processes.process = "* mjpeg *" AND
Processes.process = "* dshow *"
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_ffmpeg_directshow_video_capture_filter`
Windows FFmpeg Audio and Video Device Discovery
- source: splunk
- technicques:
Description
This analytic detects the use of FFmpeg (ffmpeg.exe) to enumerate connected audio and video devices on a Windows endpoint. Adversaries and stealers such as SalatStealer abuse FFmpeg’s DirectShow (dshow) input interface by invoking it with the -list_devices true and -hide_banner flags from a temporary directory, allowing them to silently discover available webcams, microphones, and capture cards without triggering obvious user-facing activity. Device discovery of this kind maps to MITRE ATT&CK T1125 (Video Capture), where threat actors profile the system’s multimedia capabilities as a precursor to covert audio or video surveillance. The combination of an unusual process path (temp), the dshow input filter, and the device-listing arguments is a strong indicator of malicious reconnaissance rather than legitimate administrative use.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
(
Processes.process_name = ffmpeg.exe OR
Processes.original_file_name = ffmpeg.exe
) AND
Processes.process_path IN ("*\\temp\\*") AND
Processes.process = "*-list_devices*" AND
Processes.process = "*-hide_banner*" AND
Processes.process = "* dshow *"
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_ffmpeg_audio_and_video_device_discovery_filter`
Windows File and Directory Permissions Remove Inheritance
- source: splunk
- technicques:
Description
The following analytic detects the removal of permission inheritance using ICACLS. This analytic identifies instances where ICACLS is used to remove permission inheritance from files or directories. The /inheritance:r flag, which strips inherited permissions while optionally preserving or altering explicit permissions, is monitored to detect changes that may restrict access or establish isolated permission configurations. Removing inheritance can be a legitimate administrative action but may also indicate an attempt to conceal malicious activity or bypass inherited security controls.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe")
AND
Processes.process = "*/inheritance:r*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_file_and_directory_permissions_remove_inheritance_filter`
Windows File and Directory Enable ReadOnly Permissions
- source: splunk
- technicques:
Description
The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated.
Detection logic
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") AND Processes.process IN ("*SYSTEM*", "*admin*", "*S-1-1-0*", "*EVERYONE*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| rex field=process ":\\((?<permission>[^)]+)\\)"
| eval has_read_attribute=if(match(permission, "R"), "true", "false")
| eval has_write_execute=if(match(permission, "(W
|GA
|X
|M
|F
|AD
|DC
|DE)"), "true", "false")
| where has_write_execute="false" and has_read_attribute = "true"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_file_and_directory_enable_readonly_permissions_filter`
Excessive Usage Of Cacls App
- source: splunk
- technicques:
Description
The following analytic identifies excessive usage of cacls.exe, xcacls.exe,
or icacls.exe to change file or folder permissions.
It looks for 10 or more execution of the aforementioned processes in the span of 1 minute.
It leverages data from Endpoint Detection and Response (EDR) agents,
focusing on process names and command-line executions.
This activity is significant as it may indicate an adversary attempting
to restrict access to malware components or artifacts on a compromised system.
If confirmed malicious, this behavior could prevent users from deleting or accessing
critical files, aiding in the persistence and concealment of malicious activities.
Detection logic
| tstats `security_content_summariesonly`
min(_time) as firstTime
max(_time) as lastTime
values(Processes.dest) as dest
values(Processes.user) as user
values(Processes.action) as action
values(Processes.original_file_name) as original_file_name
values(Processes.parent_process_exec) as parent_process_exec
values(Processes.parent_process_guid) as parent_process_guid
values(Processes.parent_process_id) as parent_process_id
values(Processes.parent_process_path) as parent_process_path
values(Processes.process) as process
values(Processes.process_exec) as process_exec
values(Processes.process_guid) as process_guid
values(Processes.process_hash) as process_hash
values(Processes.process_id) as process_id
values(Processes.process_integrity_level) as process_integrity_level
values(Processes.process_name) as process_name
values(Processes.process_path) as process_path
values(Processes.user_id) as user_id
values(Processes.vendor_product) as vendor_product count
from datamodel=Endpoint.Processes where
Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe")
by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m
| where count >=10
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `excessive_usage_of_cacls_app_filter`