splApache-2.0from splunk/security_content
Windows File and Directory Enable ReadOnly Permissions
The following analytic detects instances where file or folder permissions are modified to grant read-only access. Such changes are characterized by the presence of read-related permissions (e.g., R, REA, RA, RD) and the absence of write (W) or execute (E) permissions. Monitoring these events is crucial for tracking access control changes that could be intentional for restricting access or indicative of malicious behavior. Alerts generated by this detection help ensure that legitimate security measures are enforced while unauthorized changes are promptly investigated.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN( "icacls.exe", "cacls.exe", "xcacls.exe") AND Processes.process IN ("*/grant*", "*/G*") AND Processes.process IN ("*SYSTEM*", "*admin*", "*S-1-1-0*", "*EVERYONE*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | rex field=process ":\\((?<permission>[^)]+)\\)" | eval has_read_attribute=if(match(permission, "R"), "true", "false") | eval has_write_execute=if(match(permission, "(W|GA|X|M|F|AD|DC|DE)"), "true", "false") | where has_write_execute="false" and has_read_attribute = "true" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_file_and_directory_enable_readonly_permissions_filter`