PowerShell Script Change Permission Via Set-Acl

 1title: PowerShell Script Change Permission Via Set-Acl
 2id: bdeb2cff-af74-4094-8426-724dc937f20a
 3related:
 4    - id: cae80281-ef23-44c5-873b-fd48d2666f49 # PsScript Low
 5      type: derived
 6    - id: 0944e002-e3f6-4eb5-bf69-3a3067b53d73 # ProcCreation Susp
 7      type: derived
 8    - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
 9      type: derived
10status: test
11description: Detects PowerShell execution to set the ACL of a file or a folder
12references:
13    - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl?view=powershell-5.1
14    - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md
15author: Nasreddine Bencherchali (Nextron Systems)
16date: 2022-10-18
17tags:
18    - attack.defense-evasion
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection_img:
24        - OriginalFileName:
25              - 'PowerShell.EXE'
26              - 'pwsh.dll'
27        - Image|endswith:
28              - '\powershell.exe'
29              - '\pwsh.exe'
30    selection_cmdlet:
31        CommandLine|contains|all:
32            - 'Set-Acl '
33            - '-AclObject '
34            - '-Path '
35    condition: all of selection_*
36falsepositives:
37    - Unknown
38level: high

References

• Set-Acl (Microsoft.PowerShell.Security) - PowerShell

  

  The Set-Acl cmdlet changes the security descriptor of a specified item, such as a file or a registry key, to match the values in a security descriptor that you supply. To use Set-Acl, use the Path or InputObject parameter to identify the item whose security descriptor you want to change. Then, use the AclObject or SecurityDescriptor parameters to supply a security descriptor that has the values you want to apply. Set-Acl applies the security descriptor that is supplied. It uses the value of the AclObject parameter as a model and changes the values in the item's security descriptor to match the values in the AclObject parameter.

  
  Read More

• atomic-red-team/atomics/T1505.005/T1505.005.md at 74438b0237d141ee9c99747976447dc884cb1a39 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType
• APT PRIVATELOG Image Load Pattern
• APT27 - Emissary Panda Activity