← Library
splApache-2.0from splunk/security_content

Excessive Usage Of Cacls App

The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe`, or `icacls.exe` to change file or folder permissions. It looks for 10 or more execution of the aforementioned processes in the span of 1 minute. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to restrict access to malware components or artifacts on a compromised system. If confirmed malicious, this behavior could prevent users from deleting or accessing critical files, aiding in the persistence and concealment of malicious activities.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/excessive_usage_of_cacls_app.yml
| tstats `security_content_summariesonly`
  min(_time) as firstTime
  max(_time) as lastTime
  values(Processes.dest) as dest
  values(Processes.user) as user
  values(Processes.action) as action
  values(Processes.original_file_name) as original_file_name
  values(Processes.parent_process_exec) as parent_process_exec
  values(Processes.parent_process_guid) as parent_process_guid
  values(Processes.parent_process_id) as parent_process_id
  values(Processes.parent_process_path) as parent_process_path
  values(Processes.process) as process
  values(Processes.process_exec) as process_exec
  values(Processes.process_guid) as process_guid
  values(Processes.process_hash) as process_hash
  values(Processes.process_id) as process_id
  values(Processes.process_integrity_level) as process_integrity_level
  values(Processes.process_name) as process_name
  values(Processes.process_path) as process_path
  values(Processes.user_id) as user_id
  values(Processes.vendor_product) as vendor_product count
from datamodel=Endpoint.Processes where
Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe")
by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m
| where count >=10
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `excessive_usage_of_cacls_app_filter`