Detection rules › Splunk
Permissions Replaced by icacls - Windows (PowerShell)
icacls is a command-line utility in Windows that allows for viewing and modifying Discretionary Access Control Lists (DACLs) and file permissions. Threat actors may abuse this tool to alter file permissions, potentially gaining unauthorized access or control over sensitive files and directories, as observed by DFIR report (see references). This use case detects icacls executions with switches to replace permissions
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Impairment | T1222.001 File and Directory Permissions Modification: Windows Permissions |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '24625.45524'
title: Permissions Replaced by icacls - Windows
description: 'icacls is a command-line utility in Windows that allows for viewing
and modifying Discretionary Access Control Lists (DACLs) and file permissions. Threat
actors may abuse this tool to alter file permissions, potentially gaining unauthorized
access or control over sensitive files and directories, as observed by DFIR report
(see references). This use case detects icacls executions with switches to replace
permissions. -- Threat Actor Association: FIN7 (aka. Carbon Spider, Sangria Tempest)'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4104) OR
"<EventID>4104<") "icacls" ("/grant:" OR "/deny:" OR "/remove:" OR "/setintegritylevel:"
OR "/inheritance:") | rex field=_raw "(?<=icacls\.exe\"\s)(?<file_path>[^\s]+)"|
rex field=_raw "/(grant|deny|remove|setintegritylevel|inheritance):\S\s(?<permission_user>[^\:]+):F"|
table _time, host, user, process, process_*, parent_process, parent_process_*, user,
file_path, permission_user | bin span=1s | stats values(*) as * by _time, host '
techniques:
- defense-evasion:file and directory permissions modification
- defense-evasion:file and directory permissions modification:windows file and directory
permissions modification
technique_id:
- T1222
- T1222.001
data_category:
- PowerShell logs
references:
- https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (TERM(EventCode=4104) OR "<EventID>4104<") "icacls" ("/grant:" OR "/deny:" OR "/remove:" OR "/setintegritylevel:" OR "/inheritance:")
Stage 2: rex
| rex field=_raw "(?<=icacls\.exe\"\s)(?<file_path>[^\s]+)"
Stage 3: rex
| rex field=_raw "/(grant|deny|remove|setintegritylevel|inheritance):\S\s(?<permission_user>[^\:]+):F"
Stage 4: table
| table _time, host, user, process, process_*, parent_process, parent_process_*, user, file_path, permission_user
Stage 5: bucket
| bin span=1s
Stage 6: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4104<" |
| 1 | "icacls" |
| 1 | "/grant:" |
| 1 | "/deny:" |
| 1 | "/remove:" |
| 1 | "/setintegritylevel:" |
| 1 | "/inheritance:" |