Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntmediumtest

File or Folder Permissions Modifications

Detects a file or folder's permissions being modified or tampered with.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)Created Wed Oct 23Updated Tue Nov 2137ae075c-271b-459b-8d7b-55ad5f993dd8windows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic7 selectors
detection:
    selection_1:
        Image|endswith:
            - '\cacls.exe'
            - '\icacls.exe'
            - '\net.exe' # "grant" Option available when used with "net share"
            - '\net1.exe' # "grant" Option available when used with "net share"
        CommandLine|contains:
            - '/grant'
            - '/setowner'
            - '/inheritance:r' # Remove all inherited ACEs
    selection_2:
        Image|endswith: '\attrib.exe'
        CommandLine|contains: '-r'
    selection_3:
        Image|endswith: '\takeown.exe' # If this generates FP in your environment. Comment it out or add more suspicious flags and locations
    filter_optional_dynatrace_1:
        CommandLine|endswith: 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset'
    filter_optional_dynatrace_2:
        CommandLine|contains|all:
            - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r '
            - 'S-1-5-19:F'
    filter_optional_vscode:
        CommandLine|contains:
            - '\AppData\Local\Programs\Microsoft VS Code'
            - ':\Program Files\Microsoft VS Code'
    filter_optional_avira:
        CommandLine|contains:
            - ':\Program Files (x86)\Avira'
            - ':\Program Files\Avira'
    condition: 1 of selection_* and not 1 of filter_optional_*
False Positives

Users interacting with the files on their own (unlikely unless privileged users).

Dynatrace app

References
1
Resolving title…
github.com
2
Resolving title…
docs.microsoft.com
3
Resolving title…
github.com
MITRE ATT&CK

Other

attack.t1222.001detection.threat-hunting
Rule Metadata
Rule ID
37ae075c-271b-459b-8d7b-55ad5f993dd8
Status
test
Level
medium
Type
Threat Hunt
Created
Wed Oct 23
Modified
Tue Nov 21
Author
Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems)
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml
Raw Tags
attack.defense-evasionattack.t1222.001detection.threat-hunting
View on GitHub