T1222 File and Directory Permissions Modification Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let PermModTools = dynamic(["icacls.exe", "cacls.exe", "xcacls.exe", "takeown.exe", "attrib.exe", "SetACL.exe"]);
let HighValuePaths = dynamic(["\\system32\\", "\\syswow64\\", "\\windows\\", "\\program files\\", "\\programdata\\", "\\users\\", "\\sam", "\\security", "\\ntds", "\\lsass", "\\hosts"]);
let SuspiciousFlags = dynamic(["/grant", "/deny", "/reset", "/setowner", "/inheritance:r", "/inheritance:d", "Everyone", "BUILTIN\\Everyone", ":(OI)(CI)F", ":(F)", "/T /C /Q"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (PermModTools)
    or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Set-Acl", "SetAccessControl", "InheritanceFlags", "PropagationFlags", "FileSystemAccessRule", "RegistryAccessRule", "AddAccessRule", "SetOwner"))
    or (FileName =~ "cmd.exe" and ProcessCommandLine has_any ("icacls", "cacls", "takeown", "SetACL"))
| extend IsPermTool = FileName in~ (PermModTools)
| extend IsHighValuePath = ProcessCommandLine has_any (HighValuePaths)
| extend HasSuspiciousFlag = ProcessCommandLine has_any (SuspiciousFlags)
| extend GrantsEveryone = ProcessCommandLine has_any ("Everyone", "BUILTIN\\Everyone", "*S-1-1-0*")
| extend RemovesInheritance = ProcessCommandLine has_any ("/inheritance:r", "/inheritance:d")
| extend TakeOwnership = FileName =~ "takeown.exe" or ProcessCommandLine has "/setowner"
| extend GrantsFullControl = ProcessCommandLine has_any (":(F)", ":(OI)(CI)F", "/grant Everyone:F", "/grant *:F")
| extend IsPowerShellACL = FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Set-Acl", "SetAccessControl", "AddAccessRule")
| extend SuspicionScore = toint(IsHighValuePath) + toint(HasSuspiciousFlag) + toint(GrantsEveryone) + toint(RemovesInheritance) + toint(TakeOwnership) + toint(GrantsFullControl)
| where SuspicionScore > 0 or IsPermTool or IsPowerShellACL
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsHighValuePath, HasSuspiciousFlag, GrantsEveryone, RemovesInheritance,
         TakeOwnership, GrantsFullControl, IsPowerShellACL, SuspicionScore
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Software installation routines that reset permissions on application directories during setup or update (SCCM, Intune, installers)
IT administrators using icacls or takeown to recover access to orphaned files after account migrations or domain rejoins
Backup agents (Veeam, Acronis, Windows Server Backup) that modify file ACLs to enable backup of protected files
Endpoint security tools resetting permissions on quarantined files or their own installation directories
CI/CD pipeline agents (GitHub Actions, Jenkins, Azure DevOps agents) adjusting permissions on build artifact directories

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\icacls.exe" OR Image="*\\cacls.exe" OR Image="*\\xcacls.exe" OR Image="*\\takeown.exe" OR Image="*\\attrib.exe" OR Image="*\\SetACL.exe"
   OR (Image="*\\powershell.exe" AND (CommandLine="*Set-Acl*" OR CommandLine="*SetAccessControl*" OR CommandLine="*AddAccessRule*" OR CommandLine="*InheritanceFlags*" OR CommandLine="*FileSystemAccessRule*" OR CommandLine="*SetOwner*"))
   OR (Image="*\\cmd.exe" AND (CommandLine="*icacls*" OR CommandLine="*cacls*" OR CommandLine="*takeown*" OR CommandLine="*SetACL*")))
| eval IsTool=if(match(Image, "(icacls|cacls|xcacls|takeown|attrib|SetACL)\.exe$"), 1, 0)
| eval GrantsEveryone=if(match(lower(CommandLine), "everyone|s-1-1-0"), 1, 0)
| eval RemovesInheritance=if(match(CommandLine, "/inheritance:[rd]"), 1, 0)
| eval TakeOwnership=if(match(lower(Image), "takeown\.exe"), 1, 0)
| eval GrantsFullControl=if(match(CommandLine, "(:\(F\)|:\(OI\)\(CI\)F|/grant.*:F|/grant.*:\(F\))"), 1, 0)
| eval HighValuePath=if(match(lower(CommandLine), "(\\\\system32|\\\\syswow64|\\\\windows\\\\|\\\\program files|\\\\programdata|\\\\sam|\\\\security|\\\\ntds|\\\\lsass|\\\\hosts)"), 1, 0)
| eval IsPowerShellACL=if(match(lower(Image), "powershell\.exe") AND match(CommandLine, "(Set-Acl|SetAccessControl|AddAccessRule)"), 1, 0)
| eval SuspicionScore=IsTool + GrantsEveryone + RemovesInheritance + TakeOwnership + GrantsFullControl + HighValuePath
| where SuspicionScore > 0 OR IsPowerShellACL=1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, GrantsEveryone, RemovesInheritance, TakeOwnership, GrantsFullControl, HighValuePath, IsPowerShellACL, SuspicionScore
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software installation routines that reset permissions on application directories during setup or update (SCCM, Intune, installers)
IT administrators using icacls or takeown to recover access to orphaned files after account migrations or domain rejoins
Backup agents (Veeam, Acronis, Windows Server Backup) that modify file ACLs to enable backup of protected files
Endpoint security tools resetting permissions on quarantined files or their own installation directories
CI/CD pipeline agents (GitHub Actions, Jenkins, Azure DevOps agents) adjusting permissions on build artifact directories

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("icacls.exe", "cacls.exe", "xcacls.exe", "takeown.exe", "attrib.exe", "SetACL.exe") or
  (
    process.name like~ "powershell.exe" and
    process.command_line like~ ("*Set-Acl*", "*SetAccessControl*", "*InheritanceFlags*", "*PropagationFlags*", "*FileSystemAccessRule*", "*RegistryAccessRule*", "*AddAccessRule*", "*SetOwner*")
  ) or
  (
    process.name like~ "cmd.exe" and
    process.command_line like~ ("*icacls*", "*cacls*", "*takeown*", "*SetACL*")
  )
)

medium severity high confidence

Data Sources

Elastic Defend (Elastic Agent endpoint integration) Winlogbeat with Microsoft-Windows-Sysmon/Operational enabled Elastic Agent Windows integration (process events)

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

System administrators using icacls, takeown, or attrib during planned maintenance windows, post-incident permission remediation, or security baseline enforcement tasks
Software installation packages (MSI, NSIS, InstallShield, WiX) that invoke icacls or PowerShell Set-Acl to configure ACLs on Program Files, ProgramData, or application-specific directories as part of normal setup
Group Policy processing, SCCM/MECM client agent, or Intune Management Extension that legitimately resets file or registry permissions on managed endpoints during policy application

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  username,
  sourceip,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  CASE
    WHEN LOWER("Process Name") LIKE '%icacls.exe%'
      OR LOWER("Process Name") LIKE '%cacls.exe%'
      OR LOWER("Process Name") LIKE '%xcacls.exe%'
      OR LOWER("Process Name") LIKE '%takeown.exe%'
      OR LOWER("Process Name") LIKE '%attrib.exe%'
      OR LOWER("Process Name") LIKE '%setacl.exe%' THEN 1
    ELSE 0
  END AS is_perm_tool,
  CASE
    WHEN LOWER("Command") LIKE '%everyone%' OR "Command" LIKE '%S-1-1-0%' THEN 1
    ELSE 0
  END AS grants_everyone,
  CASE
    WHEN "Command" LIKE '%/inheritance:r%' OR "Command" LIKE '%/inheritance:d%' THEN 1
    ELSE 0
  END AS removes_inheritance,
  CASE
    WHEN LOWER("Process Name") LIKE '%takeown.exe%' OR LOWER("Command") LIKE '%/setowner%' THEN 1
    ELSE 0
  END AS take_ownership,
  CASE
    WHEN "Command" LIKE '%:(F)%'
      OR "Command" LIKE '%:(OI)(CI)F%'
      OR "Command" LIKE '%/grant%:F%' THEN 1
    ELSE 0
  END AS grants_full_control,
  CASE
    WHEN LOWER("Command") LIKE '%\\system32\\%'
      OR LOWER("Command") LIKE '%\\syswow64\\%'
      OR LOWER("Command") LIKE '%\\windows\\%'
      OR LOWER("Command") LIKE '%\\ntds%'
      OR LOWER("Command") LIKE '%\\lsass%'
      OR LOWER("Command") LIKE '%\\sam%'
      OR LOWER("Command") LIKE '%\\hosts%'
      OR LOWER("Command") LIKE '%\\programdata\\%'
      OR LOWER("Command") LIKE '%\\program files\\%' THEN 1
    ELSE 0
  END AS high_value_path
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) ILIKE '%Windows%'
  AND (
    LOWER("Process Name") ILIKE '%icacls.exe%'
    OR LOWER("Process Name") ILIKE '%cacls.exe%'
    OR LOWER("Process Name") ILIKE '%xcacls.exe%'
    OR LOWER("Process Name") ILIKE '%takeown.exe%'
    OR LOWER("Process Name") ILIKE '%attrib.exe%'
    OR LOWER("Process Name") ILIKE '%setacl.exe%'
    OR (
      LOWER("Process Name") ILIKE '%powershell.exe%'
      AND (
        "Command" ILIKE '%Set-Acl%'
        OR "Command" ILIKE '%SetAccessControl%'
        OR "Command" ILIKE '%AddAccessRule%'
        OR "Command" ILIKE '%InheritanceFlags%'
        OR "Command" ILIKE '%FileSystemAccessRule%'
        OR "Command" ILIKE '%SetOwner%'
      )
    )
    OR (
      LOWER("Process Name") ILIKE '%cmd.exe%'
      AND (
        "Command" ILIKE '%icacls%'
        OR "Command" ILIKE '%cacls%'
        OR "Command" ILIKE '%takeown%'
        OR "Command" ILIKE '%SetACL%'
      )
    )
  )
LAST 24 HOURS

medium severity high confidence

Data Sources

IBM QRadar Windows Event Log DSM IBM QRadar Microsoft Windows Sysmon DSM QRadar Universal DSM with custom extracted properties for Process Name and Command

Required Tables

events

False Positives

IT operations teams running icacls or takeown scripts for bulk permission remediation after ransomware recovery events, AD recycle bin restores, or permission inheritance repairs
Automated software deployment pipelines (SCCM, PDQ Deploy, Chocolatey) that invoke icacls to set ACLs on application directories during installation or update
Backup agents, DLP solutions, or endpoint security products that use attrib or ACL modification to protect their own installation directories from user tampering

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where EventCode = 1
| where Image matches "*icacls.exe" OR Image matches "*cacls.exe" OR Image matches "*xcacls.exe"
      OR Image matches "*takeown.exe" OR Image matches "*attrib.exe" OR Image matches "*SetACL.exe"
      OR (Image matches "*powershell.exe"
          AND (CommandLine matches "*Set-Acl*" OR CommandLine matches "*SetAccessControl*"
               OR CommandLine matches "*AddAccessRule*" OR CommandLine matches "*InheritanceFlags*"
               OR CommandLine matches "*FileSystemAccessRule*" OR CommandLine matches "*SetOwner*"))
      OR (Image matches "*cmd.exe"
          AND (CommandLine matches "*icacls*" OR CommandLine matches "*cacls*"
               OR CommandLine matches "*takeown*" OR CommandLine matches "*SetACL*"))
| eval IsTool = if(Image matches "*icacls.exe*" OR Image matches "*cacls.exe*" OR Image matches "*xcacls.exe*" OR Image matches "*takeown.exe*" OR Image matches "*attrib.exe*" OR Image matches "*SetACL.exe*", 1, 0)
| eval GrantsEveryone = if(toLowerCase(CommandLine) matches "*everyone*" OR CommandLine matches "*S-1-1-0*", 1, 0)
| eval RemovesInheritance = if(CommandLine matches "*/inheritance:r*" OR CommandLine matches "*/inheritance:d*", 1, 0)
| eval TakeOwnership = if(Image matches "*takeown.exe*" OR toLowerCase(CommandLine) matches "*/setowner*", 1, 0)
| eval GrantsFullControl = if(CommandLine matches "*:(F)*" OR CommandLine matches "*:(OI)(CI)F*" OR CommandLine matches "*/grant*:F*", 1, 0)
| eval HighValuePath = if(toLowerCase(CommandLine) matches "*\\system32\\*" OR toLowerCase(CommandLine) matches "*\\syswow64\\*" OR toLowerCase(CommandLine) matches "*\\windows\\*" OR toLowerCase(CommandLine) matches "*\\ntds*" OR toLowerCase(CommandLine) matches "*\\lsass*" OR toLowerCase(CommandLine) matches "*\\sam*" OR toLowerCase(CommandLine) matches "*\\hosts*" OR toLowerCase(CommandLine) matches "*\\programdata\\*", 1, 0)
| eval IsPowerShellACL = if(Image matches "*powershell.exe*" AND (CommandLine matches "*Set-Acl*" OR CommandLine matches "*SetAccessControl*" OR CommandLine matches "*AddAccessRule*"), 1, 0)
| eval SuspicionScore = IsTool + GrantsEveryone + RemovesInheritance + TakeOwnership + GrantsFullControl + HighValuePath
| where SuspicionScore > 0 OR IsPowerShellACL = 1
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, GrantsEveryone, RemovesInheritance, TakeOwnership, GrantsFullControl, HighValuePath, IsPowerShellACL, SuspicionScore
| sort by _time desc

medium severity high confidence

Data Sources

Sumo Logic Installed Collector on Windows endpoints forwarding Sysmon Operational logs Sumo Logic Cloud SIEM Enterprise Windows Sysmon source Sumo Logic Windows source category with Microsoft-Windows-Sysmon/Operational channel

Required Tables

Windows Sysmon Operational Event ID 1 (Process Create)

False Positives

Help desk staff using takeown or icacls to regain access to user-owned files during account migration, profile corruption repair, or password reset procedures on managed endpoints
Security tools and EDR agents that legitimately modify ACLs on their own installation directories at install time or during self-protection routines
CI/CD pipeline agents (Jenkins, GitHub Actions self-hosted runner, TeamCity) that reset folder permissions on build artifact or workspace directories between pipeline runs

Google Chronicle / SecOps

yaral

rule t1222_windows_permission_modification {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1222 File and Directory Permissions Modification using Windows ACL and permission tools"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1222"
    reference = "https://attack.mitre.org/techniques/T1222/"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(icacls|cacls|xcacls|takeown|attrib|SetACL)\.exe$`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)powershell\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(Set-Acl|SetAccessControl|InheritanceFlags|PropagationFlags|FileSystemAccessRule|RegistryAccessRule|AddAccessRule|SetOwner)`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)cmd\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(icacls|cacls|takeown|SetACL)`)
      )
    )

  condition:
    $e
}

medium severity high confidence

Data Sources

Google Chronicle UDM - Windows endpoint telemetry Chronicle Windows Event Log parser (Sysmon PROCESS_LAUNCH events) Chronicle Forwarder with Windows Sysmon or Defender for Endpoint data

Required Tables

UDM events with event_type PROCESS_LAUNCH

False Positives

Enterprise software deployment tools (SCCM, Intune, PDQ Deploy) that invoke icacls or attrib to set permissions during application installation or update cycles on managed endpoints
Automated system hardening scripts run by security teams enforcing CIS Benchmark or STIG baseline permissions using Set-Acl or icacls on known system paths
Database administrators using PowerShell Set-Acl to configure SQL Server data directory permissions during initial installation, patching, or disaster recovery failover procedures

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| where ImageFileName =~ /(?i)(icacls|cacls|xcacls|takeown|attrib|SetACL)\.exe$/
      or (ImageFileName =~ /(?i)powershell\.exe$/ and CommandLine =~ /(?i)(Set-Acl|SetAccessControl|InheritanceFlags|PropagationFlags|FileSystemAccessRule|RegistryAccessRule|AddAccessRule|SetOwner)/)
      or (ImageFileName =~ /(?i)cmd\.exe$/ and CommandLine =~ /(?i)(icacls|cacls|takeown|SetACL)/)
| IsTool := if(ImageFileName =~ /(?i)(icacls|cacls|xcacls|takeown|attrib|SetACL)\.exe$/, 1, 0)
| GrantsEveryone := if(CommandLine =~ /(?i)(everyone|S-1-1-0)/, 1, 0)
| RemovesInheritance := if(CommandLine =~ /\/inheritance:[rd]/i, 1, 0)
| TakeOwnership := if(ImageFileName =~ /(?i)takeown\.exe$/ or CommandLine =~ /\/setowner/i, 1, 0)
| GrantsFullControl := if(CommandLine =~ /(\(F\)|\(OI\)\(CI\)F|\/grant[^:]*:F)/i, 1, 0)
| HighValuePath := if(CommandLine =~ /(?i)(\\system32|\\syswow64|\\windows\\|\\program.files|\\programdata|\\sam|\\security|\\ntds|\\lsass|\\hosts)/, 1, 0)
| IsPowerShellACL := if(ImageFileName =~ /(?i)powershell\.exe$/ and CommandLine =~ /(?i)(Set-Acl|SetAccessControl|AddAccessRule)/, 1, 0)
| SuspicionScore := IsTool + GrantsEveryone + RemovesInheritance + TakeOwnership + GrantsFullControl + HighValuePath
| where SuspicionScore > 0 or IsPowerShellACL = 1
| select([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, GrantsEveryone, RemovesInheritance, TakeOwnership, GrantsFullControl, HighValuePath, IsPowerShellACL, SuspicionScore])
| sort(field=timestamp, order=desc)

medium severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2 events) CrowdStrike Falcon Data Replicator (FDR) stream ingested into LogScale CrowdStrike LogScale (Humio) with Falcon event pipeline

Required Tables

ProcessRollup2 (Falcon process telemetry event stream)

False Positives

IT operations teams using icacls scripts for bulk permission remediation after ransomware recovery, AD permission inheritance repair, or large-scale profile migration projects
Application packaging teams running takeown and icacls as part of MSI, MSIX, or App-V transformation workflows for enterprise software distribution
PowerShell DSC (Desired State Configuration) or Ansible WinRM playbooks that invoke Set-Acl to enforce and maintain configuration baseline permission states on servers

File and Directory Permissions Modification

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (2)

Same Tactic: Defense Evasion

Popular Detections