Excessive Usage Of Cacls App

Excessive Usage Of Cacls App

Description

The following analytic identifies excessive usage of cacls.exe, xcacls.exe or icacls.exe application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system.

   Help

Excessive Usage Of Cacls App Help

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node.

   Search

Open in Search