Use Icacls to Hide File to Everyone
Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
Sigma rule (View on GitHub)
1title: Use Icacls to Hide File to Everyone
2id: 4ae81040-fc1c-4249-bfa3-938d260214d9
3status: test
4description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
5references:
6 - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
7author: frack113
8date: 2022-07-18
9modified: 2024-04-29
10tags:
11 - attack.defense-evasion
12 - attack.t1564.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_icacls:
18 - OriginalFileName: 'iCACLS.EXE'
19 - Image|endswith: '\icacls.exe'
20 selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
21 CommandLine|contains|all:
22 - '/deny'
23 - '*S-1-1-0:'
24 condition: all of selection_*
25falsepositives:
26 - Unknown
27level: medium
References
-
Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.
Read More
Related rules
- Displaying Hidden Files Feature Disabled
- Hidden Files and Directories
- Hiding Files with Attrib.exe
- PowerShell Logging Disabled Via Registry Key Tampering
- Registry Persistence via Service in Safe Mode