SigmaHQ/rules/windows/process_creation/win_file_permission_modifications.yml

29 lines
865 B
YAML
Raw Normal View History

2019-10-23 18:24:13 +00:00
title: File or folder permissions modifications
id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
2019-10-23 18:24:13 +00:00
status: experimental
description: Detects a file or folder permissions modifications
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
modified: 2019/11/08
2019-10-23 18:24:13 +00:00
tags:
- attack.defense_evasion
- attack.t1222
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\takeown.exe'
- Image|endswith:
- '\cacls.exe'
- '\icacls.exe'
CommandLine|contains: '/grant'
- Image|endswith: '\attrib.exe'
CommandLine|contains: '-r'
condition: selection
2019-10-23 18:24:13 +00:00
falsepositives:
- Users interacting with the files on their own (unlikely unless power users)
level: medium