← Back to Explore
sigmamediumHunting
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
Detects usage of Dsacls to grant over permissive permissions
Detection Query
selection_img:
- Image|endswith: \dsacls.exe
- OriginalFileName: DSACLS.EXE
selection_flag:
CommandLine|contains: " /G "
selection_permissions:
CommandLine|contains:
- GR
- GE
- GW
- GA
- WP
- WD
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-06-20
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Potentially Over Permissive Permissions Granted Using Dsacls.EXE
id: 01c42d3c-242d-4655-85b2-34f1739632f7
status: test
description: Detects usage of Dsacls to grant over permissive permissions
references:
- https://ss64.com/nt/dsacls.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2023-02-04
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dsacls.exe'
- OriginalFileName: "DSACLS.EXE"
selection_flag:
CommandLine|contains: ' /G '
selection_permissions:
CommandLine|contains: # Add more permissions as you see fit in your environment
- 'GR'
- 'GE'
- 'GW'
- 'GA'
- 'WP'
- 'WD'
condition: all of selection_*
falsepositives:
- Legitimate administrators granting over permissive permissions to users
level: medium