security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Update defense_evasion_modify_ownership_os_files.toml (#5051)

Browse Source 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Samirbous
2025-09-02 16:18:35 +01:00
committed by GitHub
parent ef7ff52119
commit 0bbad3bbf8
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/defense_evasion_modify_ownership_os_files.toml
+4 -4
View File
@@ -2,7 +2,7 @@
creation_date = "2025/09/01"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2025/09/01"
updated_date = "2025/09/02"
[rule]
@@ -22,10 +22,10 @@ index = [
]
language = "eql"
license = "Elastic License v2"
name = "System File Onwership Change"
name = "System File Ownership Change"
note = """## Triage and analysis
### Investigating System File Onwership Change
### Investigating System File Ownership Change
Adversaries may modify file or directory ownership to evade access control lists (ACLs) and access protected files.
@@ -83,7 +83,7 @@ process where host.os.type == "windows" and event.type == "start" and
(
(process.name : "icacls.exe" and process.args : "/reset") or
(process.name : "takeown.exe" and process.args : "/f") or
(process.name : "/grant" and process.args : "grant" and process.args : "Everyone:F")
(process.name : "icacls.exe" and process.args : "/grant" and process.args : "Everyone:F")
) and
process.command_line : "*.exe *C:\\Windows\\*"
'''