Suspicious Granting of Full Control to Everyone via Security Descriptor

Rule Info

Name
Suspicious Granting of Full Control to Everyone via Security Descriptor
Author
Florian Roth
Description
Detects the usage of commands that modify security descriptors to grant full control (KA) permissions to the Everyone (WD) group. The presence of "D:(A;;KA;;;WD)" in a command line is unusual and may indicate an attempt to weaken security by allowing all users unrestricted access to critical system objects, potentially leading to privilege escalation or unauthorized system modifications.
Date
2024-09-19 00:00:00
Modified
None
Id
eb7a1c75-d3ea-434b-8c43-f9503b32b20a
Tags
attack.privilege-escalation
Type
Nextron Sigma feed only (private)

Rule History