Use Icacls to Hide File to Everyone
Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
Sigma rule (View on GitHub)
1title: Use Icacls to Hide File to Everyone
2id: 4ae81040-fc1c-4249-bfa3-938d260214d9
3status: test
4description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
5references:
6 - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
7author: frack113
8date: 2022/07/18
9tags:
10 - attack.defense_evasion
11 - attack.t1564.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_icacls:
17 - OriginalFileName: 'iCACLS.EXE'
18 - Image|endswith: '\icacls.exe'
19 selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
20 CommandLine|contains|all:
21 - 'C:\Users\'
22 - '/deny'
23 - '*S-1-1-0:'
24 condition: all of selection*
25falsepositives:
26 - Legitimate use
27level: medium
References
Related rules
- PowerShell Logging Disabled Via Registry Key Tampering
- Hiding Files with Attrib.exe
- Hidden Files and Directories
- Binary Padding - MacOS
- CobaltStrike Load by Rundll32