PowerShell Script Change Permission Via Set-Acl - PsScript
Detects PowerShell scripts set ACL to of a file or a folder
Sigma rule (View on GitHub)
1title: PowerShell Script Change Permission Via Set-Acl - PsScript
2id: cae80281-ef23-44c5-873b-fd48d2666f49
3related:
4 - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
5 type: derived
6 - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
7 type: derived
8 - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
9 type: derived
10status: experimental
11description: Detects PowerShell scripts set ACL to of a file or a folder
12references:
13 - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
14author: frack113, Nasreddine Bencherchali (Nextron Systems)
15date: 2023/07/18
16tags:
17 - attack.defense_evasion
18 - attack.t1222
19logsource:
20 product: windows
21 category: ps_script
22 definition: bade5735-5ab0-4aa7-a642-a11be0e40872
23detection:
24 selection:
25 ScriptBlockText|contains|all:
26 - 'Set-Acl '
27 - '-AclObject '
28 - '-Path '
29 condition: selection
30falsepositives:
31 - Unknown
32level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- PowerShell Set-Acl On Windows Folder - PsScript
- Windows Defender Definition Files Removed
- Suspicious Eventlog Clear or Configuration Change
- WMIC Loading Scripting Libraries
- Weak Encryption Enabled and Kerberoast