PowerShell Set-Acl On Windows Folder - PsScript
Detects PowerShell scripts to set the ACL to a file in the Windows folder
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
bade5735-5ab0-4aa7-a642-a11be0e40872
detection:
selection_cmdlet:
ScriptBlockText|contains|all:
- 'Set-Acl '
- '-AclObject '
selection_paths:
# Note: Add more suspicious paths
ScriptBlockText|contains:
- '-Path "C:\Windows'
- '-Path "C:/Windows'
- "-Path 'C:\\Windows"
- "-Path 'C:/Windows"
- '-Path C:\\Windows'
- '-Path C:/Windows'
- '-Path $env:windir'
- '-Path "$env:windir'
- "-Path '$env:windir"
selection_permissions:
# Note: Add more suspicious permissions
ScriptBlockText|contains:
- 'FullControl'
- 'Allow'
condition: all of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
Other
PowerShell Script Change Permission Via Set-Acl - PsScript
Detects PowerShell scripts set ACL to of a file or a folder
This rule was derived from the related rule - both detect similar activity with different scope.
PowerShell Set-Acl On Windows Folder
Detects PowerShell scripts to set the ACL to a file in the Windows folder
This rule was derived from the related rule - both detect similar activity with different scope.
PowerShell Script Change Permission Via Set-Acl
Detects PowerShell execution to set the ACL of a file or a folder
This rule was derived from the related rule - both detect similar activity with different scope.