ICACLS Deny Permission Abuse

Rule Info

Name
ICACLS Deny Permission Abuse
Author
X__Junior
Description
Detects execution of icacls.exe with deny arguments targeting broad principals such as Everyone or Administrators, which may indicate malicious permission tampering.
Reference
https://bbs.kafan.cn/thread-2288675-1-1.html
Date
2026-02-20 00:00:00
Modified
None
Id
a2c4c383-26af-4741-beba-9cce9c84a7e3
Tags
attack.defense-evasion attack.t1562.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022