detection.wiki

Detection rules › Splunk

Windows File and Directory Enable ReadOnly Permissions

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: tstats

tstats WHERE Processes.process IN ("*/G*", "*/grant*") Processes.process IN ("*EVERYONE*", "*S-1-1-0*", "*SYSTEM*", "*admin*") Processes.process_name IN ("cacls.exe", "icacls.exe", "xcacls.exe") BY Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product

Stage 2: search

search

Stage 3: rex

rex field=process ...

Stage 4: eval

eval ... using (permission)

Stage 5: eval

eval ... using (permission)

Stage 6: where

where has_read_attribute="true" has_write_execute="false"

Stage 7: search

search

Stage 8: search

search

Stage 9: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Processes.processin
  • "*/G*"
  • "*/grant*"
  • "*EVERYONE*"
  • "*S-1-1-0*"
  • "*SYSTEM*"
  • "*admin*"
Processes.process_namein
  • "cacls.exe" corpus 3 (splunk 3)
  • "icacls.exe" corpus 3 (splunk 3)
  • "xcacls.exe" corpus 3 (splunk 3)
has_read_attributeeq
  • "true"
has_write_executeeq
  • "false"