Techniques
Sample rules
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
- source: sigma
- technicques:
- t1218
Description
Detects usage of Dsacls to grant over permissive permissions
Detection logic
condition: all of selection_*
selection_flag:
CommandLine|contains: ' /G '
selection_img:
- Image|endswith: \dsacls.exe
- OriginalFileName: DSACLS.EXE
selection_permissions:
CommandLine|contains:
- GR
- GE
- GW
- GA
- WP
- WD