Potentially Over Permissive Permissions Granted Using Dsacls.EXE
Detects usage of Dsacls to grant over permissive permissions
Sigma rule (View on GitHub)
1title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE
2id: 01c42d3c-242d-4655-85b2-34f1739632f7
3status: test
4description: Detects usage of Dsacls to grant over permissive permissions
5references:
6 - https://ss64.com/nt/dsacls.html
7 - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2022/06/20
10modified: 2023/02/04
11tags:
12 - attack.defense_evasion
13 - attack.t1218
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\dsacls.exe'
20 - OriginalFileName: "DSACLS.EXE"
21 selection_flag:
22 CommandLine|contains: ' /G '
23 selection_permissions:
24 CommandLine|contains: # Add more permissions as you see fit in your environment
25 - 'GR'
26 - 'GE'
27 - 'GW'
28 - 'GA'
29 - 'WP'
30 - 'WD'
31 condition: all of selection_*
32falsepositives:
33 - Legitimate administrators granting over permissive permissions to users
34level: medium
References
-
DSACLS.exe (installable option via RSAT /AD DS) View or Edit ACLs (access control entries) for objects in Active Directory. Syntax DSACLS "[\\Computer\]ObjectDN" [/A] [/D PermissionStatement [Permi...
Read More
Related rules
- Execute Files with Msdeploy.exe
- MSI Installation From Web
- Malicious Windows Script Components File Execution by TAEF Detection
- Potential Password Spraying Attempt Using Dsacls.EXE
- Potentially Suspicious Child Process Of DiskShadow.EXE