PowerShell Set-Acl On Windows Folder - PsScript

 1title: PowerShell Set-Acl On Windows Folder - PsScript
 2id: 3bf1d859-3a7e-44cb-8809-a99e066d3478
 3related:
 4    - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
 5      type: derived
 6    - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
 7      type: derived
 8    - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
 9      type: derived
10status: experimental
11description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
12references:
13    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
14    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
15author: frack113, Nasreddine Bencherchali (Nextron Systems)
16date: 2023/07/18
17tags:
18    - attack.defense_evasion
19    - attack.t1222
20logsource:
21    product: windows
22    category: ps_script
23    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
24detection:
25    selection_cmdlet:
26        ScriptBlockText|contains|all:
27            - 'Set-Acl '
28            - '-AclObject '
29    selection_paths:
30        # Note: Add more suspicious paths
31        ScriptBlockText|contains:
32            - '-Path "C:\Windows'
33            - '-Path "C:/Windows'
34            - "-Path 'C:\\Windows"
35            - "-Path 'C:/Windows"
36            - '-Path C:\\Windows'
37            - '-Path C:/Windows'
38            - '-Path $env:windir'
39            - '-Path "$env:windir'
40            - "-Path '$env:windir"
41    selection_permissions:
42        # Note: Add more suspicious permissions
43        ScriptBlockText|contains:
44            - 'FullControl'
45            - 'Allow'
46    condition: all of selection_*
47falsepositives:
48    - Unknown
49level: high

References

• atomic-red-team/atomics/T1505.005/T1505.005.md at 74438b0237d141ee9c99747976447dc884cb1a39 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• Set-Acl (Microsoft.PowerShell.Security) - PowerShell

  

  The Set-Acl cmdlet changes the security descriptor of a specified item, such as a file or a registry key, to match the values in a security descriptor that you supply. To use Set-Acl, use the Path or InputObject parameter to identify the item whose security descriptor you want to change. Then, use the AclObject or SecurityDescriptor parameters to supply a security descriptor that has the values you want to apply. Set-Acl applies the security descriptor that is supplied. It uses the value of the AclObject parameter as a model and changes the values in the item's security descriptor to match the values in the AclObject parameter.

  
  Read More

Related rules

• PowerShell Script Change Permission Via Set-Acl - PsScript
• Windows Defender Definition Files Removed
• Suspicious Eventlog Clear or Configuration Change
• WMIC Loading Scripting Libraries
• Weak Encryption Enabled and Kerberoast