-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
Expand file tree
/
Copy pathproc_creation_win_susp_file_permission_modifications.yml
More file actions
53 lines (53 loc) · 2.26 KB
/
proc_creation_win_susp_file_permission_modifications.yml
File metadata and controls
53 lines (53 loc) · 2.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
title: File or Folder Permissions Modifications
id: 37ae075c-271b-459b-8d7b-55ad5f993dd8
status: test
description: Detects a file or folder's permissions being modified or tampered with.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)
- https://github.com/swagkarna/Defeat-Defender-V1.2.0/tree/ae4059c4276da6f6303b8f53cdff085ecae88a91
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
date: 2019-10-23
modified: 2023-11-21
tags:
- attack.defense-evasion
- attack.t1222.001
- detection.threat-hunting
logsource:
category: process_creation
product: windows
detection:
selection_1:
Image|endswith:
- '\cacls.exe'
- '\icacls.exe'
- '\net.exe' # "grant" Option available when used with "net share"
- '\net1.exe' # "grant" Option available when used with "net share"
CommandLine|contains:
- '/grant'
- '/setowner'
- '/inheritance:r' # Remove all inherited ACEs
selection_2:
Image|endswith: '\attrib.exe'
CommandLine|contains: '-r'
selection_3:
Image|endswith: '\takeown.exe' # If this generates FP in your environment. Comment it out or add more suspicious flags and locations
filter_optional_dynatrace_1:
CommandLine|endswith: 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset'
filter_optional_dynatrace_2:
CommandLine|contains|all:
- 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r '
- 'S-1-5-19:F'
filter_optional_vscode:
CommandLine|contains:
- '\AppData\Local\Programs\Microsoft VS Code'
- ':\Program Files\Microsoft VS Code'
filter_optional_avira:
CommandLine|contains:
- ':\Program Files (x86)\Avira'
- ':\Program Files\Avira'
condition: 1 of selection_* and not 1 of filter_optional_*
falsepositives:
- Users interacting with the files on their own (unlikely unless privileged users).
- Dynatrace app
level: medium