SigmaHQ/wazuh/rules/sigma_win_file_permission_modifications.yml

alert:
- debug
description: Detects a file or folder permissions modifications
filter:
- query:
    query_string:
      query: ((data.win.eventdata.image.keyword:(*\\takeown.exe OR *\\cacls.exe OR *\\icacls.exe) AND data.win.eventdata.commandLine.keyword:*\/grant*) OR (data.win.eventdata.image.keyword:*\\attrib.exe AND data.win.eventdata.commandLine.keyword:*\-r*))
index: wazuh-alerts-3.x-*
name: 37ae075c-271b-459b-8d7b-55ad5f993dd8_0
priority: 3
realert:
  minutes: 0
type: any
123 2020-12-02 22:43:30 +00:00			`alert:`
			`- debug`
			`description: Detects a file or folder permissions modifications`
			`filter:`
			`- query:`
			`query_string:`
			`query: ((data.win.eventdata.image.keyword:(\\takeown.exe OR \\cacls.exe OR \\icacls.exe) AND data.win.eventdata.commandLine.keyword:\/grant) OR (data.win.eventdata.image.keyword:\\attrib.exe AND data.win.eventdata.commandLine.keyword:\-r))`
			`index: wazuh-alerts-3.x-*`
			`name: 37ae075c-271b-459b-8d7b-55ad5f993dd8_0`
			`priority: 3`
			`realert:`
			`minutes: 0`
			`type: any`