Use Icacls to Hide File to Everyone
Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
Sigma rule (View on GitHub)
1title: Use Icacls to Hide File to Everyone
2id: 4ae81040-fc1c-4249-bfa3-938d260214d9
3status: test
4description: Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
5references:
6 - https://app.any.run/tasks/1df999e6-1cb8-45e3-8b61-499d1b7d5a9b/
7author: frack113
8date: 2022/07/18
9modified: 2024/04/29
10tags:
11 - attack.defense_evasion
12 - attack.t1564.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_icacls:
18 - OriginalFileName: 'iCACLS.EXE'
19 - Image|endswith: '\icacls.exe'
20 selection_cmd: # icacls "C:\Users\admin\AppData\Local\37f92fe8-bcf0-4ee0-b8ba-561f797f5696" /deny *S-1-1-0:(OI)(CI)(DE,DC)
21 CommandLine|contains|all:
22 - '/deny'
23 - '*S-1-1-0:'
24 condition: all of selection_*
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- Hiding Files with Attrib.exe
- Set Suspicious Files as System Files Using Attrib.EXE
- Displaying Hidden Files Feature Disabled
- Registry Persistence via Service in Safe Mode
- Hidden Files and Directories