valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_file_permission_modifications.yml

Browse Source
This commit is contained in:
yugoslavskiy 2019-11-08 02:51:42 +03:00 committed by GitHub
parent 7d3c9e129d
commit 3624a7d5da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
rules/windows/process_creation/win_file_permission_modifications.yml
View File

@ -5,6 +5,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
author: Jakob Weinzettl, oscd.community
date: 2019/10/23
modified: 2019/11/08
tags:
- attack.defense_evasion
- attack.t1222
@ -12,17 +13,15 @@ logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine: 'takeown.exe'
selection2:
CommandLine: 'cacls.exe' # covers both cacls and icacls
selection3:
CommandLine: '/grant'
selection4:
CommandLine: 'attrib.exe'
selection5:
CommandLine: '-r'
condition: selection1 or selection2 and selection3 or selection4 and selection5
selection:
- Image|endswith: '\takeown.exe'
- Image|endswith:
- '\cacls.exe'
- '\icacls.exe'
CommandLine|contains: '/grant'
- Image|endswith: '\attrib.exe'
CommandLine|contains: '-r'
condition: selection
falsepositives:
- Users interacting with the files on their own (unlikely unless power users)
level: medium