Suspicious Granting of Full Control to Everyone via Security Descriptor

Rule Info

Name
Suspicious Granting of Full Control to Everyone via Security Descriptor
Author
Florian Roth
Description
Detects the usage of commands that modify security descriptors to grant full control (KA) permissions to the Everyone (WD) group. The presence of "D:(A;;KA;;;WD)" in a command line is unusual and may indicate an attempt to weaken security by allowing all users unrestricted access to critical system objects, potentially leading to privilege escalation or unauthorized system modifications.
Reference
https://x.com/akaclandestine/status/1832917886261973202?s=12&t=C0_T_re0wRP_NfKa27Xw9w
Date
2024-09-19 00:00:00
Modified
None
Id
eb7a1c75-d3ea-434b-8c43-f9503b32b20a
Tags
attack.privilege-escalation
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022