Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
33 lines
1.0 KiB
YAML
33 lines
1.0 KiB
YAML
title: PowerShell Script Change Permission Via Set-Acl - PsScript
|
|
id: cae80281-ef23-44c5-873b-fd48d2666f49
|
|
related:
|
|
- id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
|
|
type: derived
|
|
- id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
|
|
type: derived
|
|
- id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
|
|
type: derived
|
|
status: test
|
|
description: Detects PowerShell scripts set ACL to of a file or a folder
|
|
references:
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
|
|
author: frack113, Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2023-07-18
|
|
tags:
|
|
- attack.defense-evasion
|
|
- attack.t1222
|
|
logsource:
|
|
product: windows
|
|
category: ps_script
|
|
definition: bade5735-5ab0-4aa7-a642-a11be0e40872
|
|
detection:
|
|
selection:
|
|
ScriptBlockText|contains|all:
|
|
- 'Set-Acl '
|
|
- '-AclObject '
|
|
- '-Path '
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: low
|