T1222.001

Windows File and Directory Permissions Modification

Adversaries may modify file or directory permissions on Windows systems using built-in utilities (icacls, cacls, takeown, attrib) or PowerShell ACL cmdlets to bypass access control lists and gain access to protected files. This technique is commonly used by ransomware families (Ryuk, WannaCry, BitPaymer, BlackByte) to take ownership of system files before encryption, by persistence mechanisms preparing hijack targets, and by threat actors (Wizard Spider, Storm-1811) to remove access restrictions on backup and recovery infrastructure. Key patterns include granting Everyone full control (/grant Everyone:F), taking file ownership (takeown /F), resetting ACL inheritance (icacls /reset), and hiding files with attrib +h.

Microsoft Sentinel / Defender

kusto

let SuspiciousIcaclsArgs = dynamic([
  "Everyone:F", "everyone:f",
  "/grant Everyone", "/grant everyone",
  "/T /C /Q", "/t /c /q",
  "/inheritance:r", "/inheritance:d",
  "/reset"
]);
let SuspiciousSystemPaths = dynamic([
  "C:\\Windows\\", "C:\\System32\\", "C:\\Program Files\\",
  "C:\\ProgramData\\", "\\Backup\\", "\\Recovery\\",
  "C:\\Users\\", "%SystemRoot%", "%ProgramFiles%"
]);
// Branch 1: icacls granting Everyone full control or manipulating inheritance
let IcaclsSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "icacls.exe"
| where ProcessCommandLine has_any (SuspiciousIcaclsArgs)
| extend AlertReason = case(
    ProcessCommandLine has_any ("Everyone:F", "everyone:f"), "icacls granting Everyone full control",
    ProcessCommandLine has "/inheritance:r", "icacls removing ACL inheritance",
    ProcessCommandLine has "/reset" and ProcessCommandLine has_any (SuspiciousSystemPaths), "icacls resetting ACL on system path",
    ProcessCommandLine has "/grant" and ProcessCommandLine has_any ("/T", "/C", "/Q"), "icacls bulk recursive permission grant",
    "icacls suspicious argument"
  );
// Branch 2: takeown taking ownership of system files
let TakeownSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "takeown.exe"
| where ProcessCommandLine has "/F"
| where ProcessCommandLine has_any (SuspiciousSystemPaths)
       or ProcessCommandLine has "/A"  // takeown for Administrators group
       or ProcessCommandLine has "/R"  // recursive
| extend AlertReason = case(
    ProcessCommandLine has_any (SuspiciousSystemPaths), "takeown on protected system path",
    ProcessCommandLine has "/R", "takeown recursive on directory",
    "takeown suspicious usage"
  );
// Branch 3: cacls modifying permissions
let CaclsSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cacls.exe"
| where ProcessCommandLine has_any ("/E /G", "/G Everyone", "/g everyone", "/P", "Everyone:F")
| extend AlertReason = "cacls modifying ACL permissions";
// Branch 4: attrib hiding files or removing system/read-only on sensitive paths
let AttribSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "attrib.exe"
| where (ProcessCommandLine has "+h" or ProcessCommandLine has "+s")
       and ProcessCommandLine has_any (SuspiciousSystemPaths)
| extend AlertReason = "attrib hiding/system-flagging file in sensitive path";
// Branch 5: PowerShell Set-Acl granting Everyone full control
let PsAclSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Set-Acl", "SetAccessRule", "AddAccessRule")
       and ProcessCommandLine has_any ("Everyone", "FullControl", "Allow")
| extend AlertReason = "PowerShell Set-Acl granting excessive permissions";
union IcaclsSuspicious, TakeownSuspicious, CaclsSuspicious, AttribSuspicious, PsAclSuspicious
| extend IsRansomwarePattern = ProcessCommandLine has_any ("Everyone:F", "everyone:f") and (ProcessCommandLine has "/T" or ProcessCommandLine has "/R")
| extend IsBackupTargeting = ProcessCommandLine has_any ("Backup", "backup", "Recovery", "recovery", "vss", "VSS", "shadow", "Shadow")
| extend IsSystemPathTargeted = ProcessCommandLine has_any (SuspiciousSystemPaths)
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
         AlertReason, IsRansomwarePattern, IsBackupTargeting, IsSystemPathTargeted
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Software installation packages that use icacls to set permissions on their own application directories during setup (e.g., MSI installers, third-party applications)
System administrators using takeown and icacls to recover access to accidentally locked files or directories
IT automation tools (SCCM, Ansible, Puppet) using PowerShell Set-Acl or icacls to enforce standardized permission baselines across managed endpoints
Backup software agents that modify ACLs on their own installation and data directories
Vulnerability remediation scripts that reset over-permissive ACLs on shared directories

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval ProcessName=lower(mvindex(split(Image, "\\"), -1))
| where ProcessName IN ("icacls.exe", "cacls.exe", "takeown.exe", "attrib.exe", "powershell.exe", "pwsh.exe")
| eval CmdLower=lower(CommandLine)
| eval GrantEveryoneFull=if(match(CmdLower, "everyone:f") OR match(CmdLower, "everyone:full"), 1, 0)
| eval RecursivePermChange=if(match(CmdLower, "icacls") AND match(CmdLower, "\\/(t|T)") AND match(CmdLower, "\\/(g|G)rant"), 1, 0)
| eval AclInheritanceRemoval=if(match(CmdLower, "\/inheritance:[rd]"), 1, 0)
| eval AclReset=if(match(CmdLower, "icacls") AND match(CmdLower, "\/reset"), 1, 0)
| eval TakeownSystem=if(match(CmdLower, "takeown") AND match(CmdLower, "\/f") AND (match(CmdLower, "c:\\\\windows") OR match(CmdLower, "c:\\\\program") OR match(CmdLower, "system32") OR match(CmdLower, "backup") OR match(CmdLower, "recovery")), 1, 0)
| eval TakeownRecursive=if(match(CmdLower, "takeown") AND match(CmdLower, "\/r"), 1, 0)
| eval CaclsModify=if(match(CmdLower, "cacls") AND (match(CmdLower, "\/e \/g") OR match(CmdLower, "everyone") OR match(CmdLower, "\/p ")), 1, 0)
| eval AttribHide=if(match(CmdLower, "attrib") AND match(CmdLower, "\+h") AND (match(CmdLower, "windows") OR match(CmdLower, "system32") OR match(CmdLower, "program")), 1, 0)
| eval PsAclModify=if((ProcessName="powershell.exe" OR ProcessName="pwsh.exe") AND match(CmdLower, "set-acl|addaccessrule|setaccessrule") AND (match(CmdLower, "everyone") OR match(CmdLower, "fullcontrol")), 1, 0)
| eval RiskScore=GrantEveryoneFull*5 + RecursivePermChange*3 + AclInheritanceRemoval*2 + AclReset*2 + TakeownSystem*3 + TakeownRecursive*2 + CaclsModify*2 + AttribHide*2 + PsAclModify*3
| where RiskScore > 0
| eval IsRansomwarePattern=if(GrantEveryoneFull=1 AND (RecursivePermChange=1 OR TakeownRecursive=1), "true", "false")
| eval IsBackupTargeted=if(match(CmdLower, "backup|recovery|vssadmin|shadow|wbadmin"), "true", "false")
| eval AlertReason=case(
    GrantEveryoneFull=1, "ACL grant Everyone full control (ransomware pattern)",
    TakeownSystem=1, "takeown on system/protected path",
    AclInheritanceRemoval=1, "ACL inheritance removed",
    AclReset=1, "icacls /reset on sensitive path",
    PsAclModify=1, "PowerShell Set-Acl granting excessive rights",
    CaclsModify=1, "cacls ACL modification",
    AttribHide=1, "attrib hiding file in system path",
    1=1, "Permission modification tool detected"
  )
| table _time, host, user, Image, CommandLine, ParentImage, AlertReason, RiskScore, IsRansomwarePattern, IsBackupTargeted, GrantEveryoneFull, RecursivePermChange, TakeownSystem, AclInheritanceRemoval, PsAclModify
| sort - RiskScore, - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Software installation packages that use icacls to set permissions on their own application directories during setup
System administrators using takeown and icacls to recover access to accidentally locked files or directories
IT automation tools (SCCM, Ansible, Puppet) enforcing standardized permission baselines
Backup software agents modifying ACLs on their own installation and data directories
Vulnerability remediation scripts resetting over-permissive ACLs on shared directories

Elastic Security (EQL)

eql

process where event.type == "start" and
process.name in~ ("icacls.exe", "cacls.exe", "takeown.exe", "attrib.exe", "powershell.exe", "pwsh.exe") and
(
  (
    process.name like~ "icacls.exe" and
    (
      process.command_line like~ "*everyone:f*" or
      process.command_line like~ "*everyone:full*" or
      process.command_line like~ "*/grant everyone*" or
      process.command_line like~ "*/inheritance:r*" or
      process.command_line like~ "*/inheritance:d*" or
      (
        process.command_line like~ "*/reset*" and
        (
          process.command_line like~ "*c:\\\\windows*" or
          process.command_line like~ "*c:\\\\system32*" or
          process.command_line like~ "*c:\\\\program files*" or
          process.command_line like~ "*\\\\backup*" or
          process.command_line like~ "*\\\\recovery*"
        )
      ) or
      (
        process.command_line like~ "*/grant*" and
        process.command_line like~ "* /t *" and
        process.command_line like~ "* /c *"
      )
    )
  ) or
  (
    process.name like~ "takeown.exe" and
    process.command_line like~ "* /f *" and
    (
      process.command_line like~ "*c:\\\\windows*" or
      process.command_line like~ "*c:\\\\system32*" or
      process.command_line like~ "*c:\\\\program*" or
      process.command_line like~ "*\\\\backup*" or
      process.command_line like~ "*\\\\recovery*" or
      process.command_line like~ "* /r*" or
      process.command_line like~ "* /a*"
    )
  ) or
  (
    process.name like~ "cacls.exe" and
    (
      process.command_line like~ "*everyone:f*" or
      process.command_line like~ "*/e /g*" or
      process.command_line like~ "*/g everyone*" or
      process.command_line like~ "*/p *"
    )
  ) or
  (
    process.name like~ "attrib.exe" and
    process.command_line like~ "*+h*" and
    (
      process.command_line like~ "*c:\\\\windows*" or
      process.command_line like~ "*c:\\\\system32*" or
      process.command_line like~ "*c:\\\\program files*" or
      process.command_line like~ "*c:\\\\programdata*"
    )
  ) or
  (
    process.name in~ ("powershell.exe", "pwsh.exe") and
    (
      process.command_line like~ "*set-acl*" or
      process.command_line like~ "*setaccessrule*" or
      process.command_line like~ "*addaccessrule*"
    ) and
    (
      process.command_line like~ "*everyone*" or
      process.command_line like~ "*fullcontrol*"
    )
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security (logs-endpoint.events.process-*) Winlogbeat with Sysmon Event ID 1 Winlogbeat with Windows Security Event ID 4688

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-windows.sysmon_operational-*

False Positives

IT administrators running icacls in automated provisioning scripts to standardize permissions on shared drives or application directories during OS imaging
Software deployment tools such as SCCM, Intune, or Ansible running as SYSTEM that invoke icacls or takeown during package installation or configuration management tasks
Backup agents (Veeam, Backup Exec, Windows Server Backup) legitimately taking file ownership of VSS shadow copies or backup staging directories during scheduled backup operations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  "Parent Process Name" AS ParentProcessName,
  QIDNAME(qid) AS EventName,
  sourceip AS HostIP,
  CASE
    WHEN LOWER("Command Line") ILIKE '%everyone:f%' OR LOWER("Command Line") ILIKE '%everyone:full%'
      THEN 'ACL grant Everyone full control (ransomware pattern)'
    WHEN LOWER("Command Line") ILIKE '%/inheritance:r%' OR LOWER("Command Line") ILIKE '%/inheritance:d%'
      THEN 'ACL inheritance removed'
    WHEN LOWER("Command Line") ILIKE '%/reset%'
      THEN 'icacls ACL reset on sensitive path'
    WHEN LOWER("Command Line") ILIKE '%takeown%' AND LOWER("Command Line") ILIKE '%/f%'
      THEN 'takeown on system or protected path'
    WHEN (LOWER("Command Line") ILIKE '%set-acl%' OR LOWER("Command Line") ILIKE '%addaccessrule%' OR LOWER("Command Line") ILIKE '%setaccessrule%')
      THEN 'PowerShell Set-Acl granting excessive permissions'
    WHEN LOWER("Command Line") ILIKE '%attrib%' AND LOWER("Command Line") ILIKE '%+h%'
      THEN 'attrib hiding file in system path'
    ELSE 'Permission modification tool detected'
  END AS AlertReason,
  CASE
    WHEN (LOWER("Command Line") ILIKE '%everyone:f%') AND (LOWER("Command Line") ILIKE '% /t %' OR LOWER("Command Line") ILIKE '% /r%')
      THEN 'true'
    ELSE 'false'
  END AS IsRansomwarePattern,
  CASE
    WHEN LOWER("Command Line") ILIKE '%backup%' OR LOWER("Command Line") ILIKE '%recovery%'
         OR LOWER("Command Line") ILIKE '%shadow%' OR LOWER("Command Line") ILIKE '%vss%'
         OR LOWER("Command Line") ILIKE '%wbadmin%'
      THEN 'true'
    ELSE 'false'
  END AS IsBackupTargeted
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND (
    QIDNAME(qid) ILIKE '%process create%'
    OR QIDNAME(qid) ILIKE '%new process has been created%'
    OR QIDNAME(qid) ILIKE '%ProcessCreate%'
  )
  AND (
    (
      LOWER("Process Name") ILIKE '%icacls.exe'
      AND (
        LOWER("Command Line") ILIKE '%everyone:f%'
        OR LOWER("Command Line") ILIKE '%everyone:full%'
        OR LOWER("Command Line") ILIKE '%/grant everyone%'
        OR LOWER("Command Line") ILIKE '%/inheritance:r%'
        OR LOWER("Command Line") ILIKE '%/inheritance:d%'
        OR (
          LOWER("Command Line") ILIKE '%/reset%'
          AND (
            LOWER("Command Line") ILIKE '%c:\windows%'
            OR LOWER("Command Line") ILIKE '%c:\program%'
            OR LOWER("Command Line") ILIKE '%system32%'
            OR LOWER("Command Line") ILIKE '%\backup%'
            OR LOWER("Command Line") ILIKE '%\recovery%'
          )
        )
      )
    )
    OR (
      LOWER("Process Name") ILIKE '%takeown.exe'
      AND LOWER("Command Line") ILIKE '% /f%'
      AND (
        LOWER("Command Line") ILIKE '%c:\windows%'
        OR LOWER("Command Line") ILIKE '%c:\program%'
        OR LOWER("Command Line") ILIKE '%system32%'
        OR LOWER("Command Line") ILIKE '%\backup%'
        OR LOWER("Command Line") ILIKE '%\recovery%'
        OR LOWER("Command Line") ILIKE '% /r%'
        OR LOWER("Command Line") ILIKE '% /a%'
      )
    )
    OR (
      LOWER("Process Name") ILIKE '%cacls.exe'
      AND (
        LOWER("Command Line") ILIKE '%everyone%'
        OR LOWER("Command Line") ILIKE '%/e /g%'
        OR LOWER("Command Line") ILIKE '%/p %'
      )
    )
    OR (
      LOWER("Process Name") ILIKE '%attrib.exe'
      AND LOWER("Command Line") ILIKE '%+h%'
      AND (
        LOWER("Command Line") ILIKE '%windows%'
        OR LOWER("Command Line") ILIKE '%system32%'
        OR LOWER("Command Line") ILIKE '%program%'
      )
    )
    OR (
      (
        LOWER("Process Name") ILIKE '%powershell.exe'
        OR LOWER("Process Name") ILIKE '%pwsh.exe'
      )
      AND (
        LOWER("Command Line") ILIKE '%set-acl%'
        OR LOWER("Command Line") ILIKE '%addaccessrule%'
        OR LOWER("Command Line") ILIKE '%setaccessrule%'
      )
      AND (
        LOWER("Command Line") ILIKE '%everyone%'
        OR LOWER("Command Line") ILIKE '%fullcontrol%'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar DSM: Microsoft Windows Security Event Log (Event ID 4688) QRadar DSM: Microsoft Sysmon (Event ID 1 ProcessCreate) QRadar Log Source Type: Microsoft Windows

Required Tables

events

False Positives

Automated patch management or software deployment systems (SCCM, PDQ Deploy, Ansible) resetting ACLs on application directories during software installation routines
Active Directory Group Policy scripts invoking icacls to enforce standardized folder permissions as part of logon or startup policy application
Backup agents (Veeam, Commvault, Windows Server Backup) legitimately using takeown to access shadow copies or locked files during backup windows

Sumo Logic CSE

sql

(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="*WinEventLog*")
| where EventID in ("4688", "1")
// Extract fields from Security Event 4688
| parse field=Message "New Process Name:\t*\r" as SecurityProcessName nodrop
| parse field=Message "Process Command Line:\t*\r" as SecurityCommandLine nodrop
// Extract fields from Sysmon Event 1
| parse field=Message "Image: *\r" as SysmonImage nodrop
| parse field=Message "CommandLine: *\r" as SysmonCommandLine nodrop
| parse field=Message "ParentImage: *\r" as ParentImage nodrop
// Normalise across both sources
| eval ProcessName = if(!isBlank(SecurityProcessName), SecurityProcessName, SysmonImage)
| eval CommandLine = if(!isBlank(SecurityCommandLine), SecurityCommandLine, SysmonCommandLine)
| where !isBlank(ProcessName) and !isBlank(CommandLine)
| eval CmdLower = toLowerCase(CommandLine)
| eval ProcLower = toLowerCase(ProcessName)
| eval ProcessExe = replace(ProcLower, /^.*[\\]/, "")
| where ProcessExe in ("icacls.exe", "cacls.exe", "takeown.exe", "attrib.exe", "powershell.exe", "pwsh.exe")
// Indicator flags
| eval GrantEveryoneFull = if(matches(CmdLower, ".*everyone:(f|full).*"), 1, 0)
| eval RecursivePermChange = if(matches(CmdLower, ".*icacls.*") and matches(CmdLower, ".*/[t].*") and matches(CmdLower, ".*/grant.*"), 1, 0)
| eval AclInheritanceRemoval = if(matches(CmdLower, ".*/inheritance:[rd].*"), 1, 0)
| eval AclReset = if(matches(CmdLower, ".*icacls.*") and matches(CmdLower, ".*/reset.*"), 1, 0)
| eval TakeownSystem = if(matches(CmdLower, ".*takeown.*") and matches(CmdLower, ".*/f.*") and (matches(CmdLower, ".*c:\\\\windows.*") or matches(CmdLower, ".*system32.*") or matches(CmdLower, ".*c:\\\\program.*") or matches(CmdLower, ".*backup.*") or matches(CmdLower, ".*recovery.*")), 1, 0)
| eval TakeownRecursive = if(matches(CmdLower, ".*takeown.*") and matches(CmdLower, ".*/r.*"), 1, 0)
| eval CaclsModify = if(ProcessExe == "cacls.exe" and (matches(CmdLower, ".*everyone.*") or matches(CmdLower, ".*/e /g.*") or matches(CmdLower, ".*/p .*")), 1, 0)
| eval AttribHide = if(ProcessExe == "attrib.exe" and matches(CmdLower, ".*\\+h.*") and (matches(CmdLower, ".*windows.*") or matches(CmdLower, ".*system32.*") or matches(CmdLower, ".*program.*")), 1, 0)
| eval PsAclModify = if((ProcessExe == "powershell.exe" or ProcessExe == "pwsh.exe") and (matches(CmdLower, ".*set-acl.*") or matches(CmdLower, ".*addaccessrule.*") or matches(CmdLower, ".*setaccessrule.*")) and (matches(CmdLower, ".*everyone.*") or matches(CmdLower, ".*fullcontrol.*")), 1, 0)
// Risk scoring
| eval RiskScore = GrantEveryoneFull * 5 + RecursivePermChange * 3 + AclInheritanceRemoval * 2 + AclReset * 2 + TakeownSystem * 3 + TakeownRecursive * 2 + CaclsModify * 2 + AttribHide * 2 + PsAclModify * 3
| where RiskScore > 0
| eval IsRansomwarePattern = if(GrantEveryoneFull == 1 and (RecursivePermChange == 1 or TakeownRecursive == 1), "true", "false")
| eval IsBackupTargeted = if(matches(CmdLower, ".*(backup|recovery|shadow|vssadmin|wbadmin).*"), "true", "false")
| eval AlertReason = if(GrantEveryoneFull == 1, "ACL grant Everyone full control (ransomware pattern)",
    if(TakeownSystem == 1, "takeown on system/protected path",
    if(AclInheritanceRemoval == 1, "ACL inheritance removed",
    if(AclReset == 1, "icacls /reset on sensitive path",
    if(PsAclModify == 1, "PowerShell Set-Acl granting excessive rights",
    if(CaclsModify == 1, "cacls ACL modification",
    if(AttribHide == 1, "attrib hiding file in system path",
    "Permission modification tool detected")))))))
| fields _messageTime, Computer, user, ProcessName, CommandLine, ParentImage, AlertReason, RiskScore, IsRansomwarePattern, IsBackupTargeted
| sort by RiskScore desc, _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Windows Agent collecting WinEventLog:Security (Event ID 4688) Sumo Logic Windows Agent collecting Sysmon Operational log (Event ID 1) Sumo Logic Cloud SIEM normalized Windows process events

Required Tables

WinEventLog:Security Microsoft-Windows-Sysmon/Operational

False Positives

IT provisioning and imaging workflows that run icacls as part of workstation setup to apply standardized ACL templates to common directories
Antivirus or EDR products using icacls during installation to lock down their own program directories against user modification
DFS Replication service or backup agents using takeown to resolve permission conflicts on replicated or archived shares

Google Chronicle / SecOps

yaral

rule t1222_001_windows_permission_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects T1222.001 Windows File and Directory Permissions Modification via icacls, cacls, takeown, attrib, and PowerShell Set-Acl. Covers ransomware-pattern Everyone full-control grants, ACL inheritance removal, system path ownership takeover, and backup infrastructure targeting."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1222.001"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1222/001/"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "IT provisioning scripts, software deployment tools, backup agents"
    version = "1"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""
    (
      // icacls: Everyone full control, inheritance removal, bulk recursive grant, or reset on sensitive paths
      (
        re.regex($e.target.process.file.full_path, `(?i)\\icacls\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)everyone:(f|full)`) or
          re.regex($e.target.process.command_line, `(?i)/grant\s+everyone`) or
          re.regex($e.target.process.command_line, `(?i)/inheritance:[rd]`) or
          (
            re.regex($e.target.process.command_line, `(?i)/reset`) and
            re.regex($e.target.process.command_line, `(?i)(c:\\windows|c:\\system32|c:\\program files|c:\\programdata|\\backup\\|\\recovery\\)`)
          ) or
          (
            re.regex($e.target.process.command_line, `(?i)/grant`) and
            re.regex($e.target.process.command_line, `(?i)\s/[tT]\s`) and
            re.regex($e.target.process.command_line, `(?i)\s/[cC]\s`)
          )
        )
      ) or
      // takeown: system path ownership or recursive takeover
      (
        re.regex($e.target.process.file.full_path, `(?i)\\takeown\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\s/[fF]\s`) and
        (
          re.regex($e.target.process.command_line, `(?i)(c:\\windows|c:\\system32|c:\\program|c:\\programdata|\\backup|\\recovery)`) or
          re.regex($e.target.process.command_line, `(?i)\s/[rR]\b`) or
          re.regex($e.target.process.command_line, `(?i)\s/[aA]\b`)
        )
      ) or
      // cacls: ACL modification
      (
        re.regex($e.target.process.file.full_path, `(?i)\\cacls\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)everyone`) or
          re.regex($e.target.process.command_line, `(?i)/[eE]\s+/[gG]`) or
          re.regex($e.target.process.command_line, `(?i)/[pP]\s`)
        )
      ) or
      // attrib: hiding files in sensitive system paths
      (
        re.regex($e.target.process.file.full_path, `(?i)\\attrib\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\+[hH]`) and
        re.regex($e.target.process.command_line, `(?i)(c:\\windows|c:\\system32|c:\\program files|c:\\programdata)`)
      ) or
      // PowerShell: Set-Acl granting Everyone full control
      (
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(set-acl|setaccessrule|addaccessrule)`) and
        re.regex($e.target.process.command_line, `(?i)(everyone|fullcontrol)`)
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.target.process.command_line, `(?i)everyone:(f|full)`), 5, 0) +
      if(re.regex($e.target.process.command_line, `(?i)/inheritance:[rd]`), 2, 0) +
      if(re.regex($e.target.process.command_line, `(?i)/reset`), 2, 0) +
      if(re.regex($e.target.process.file.full_path, `(?i)\\takeown\.exe$`) and re.regex($e.target.process.command_line, `(?i)(c:\\windows|c:\\system32|c:\\program|\\backup|\\recovery)`), 3, 0) +
      if(re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and re.regex($e.target.process.command_line, `(?i)(set-acl|addaccessrule)`), 3, 0)
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.src.process.file.full_path
    $is_ransomware_pattern = if(
      re.regex($e.target.process.command_line, `(?i)everyone:(f|full)`) and
      re.regex($e.target.process.command_line, `(?i)(\s/[tT]\s|\s/[rR]\b)`),
      "true", "false"
    )
    $is_backup_targeted = if(
      re.regex($e.target.process.command_line, `(?i)(backup|recovery|shadow|vssadmin|wbadmin)`),
      "true", "false"
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM PROCESS_LAUNCH events Windows Endpoint telemetry via Chronicle Forwarder (Sysmon or EDR) Microsoft Defender for Endpoint via Chronicle integration

Required Tables

PROCESS_LAUNCH UDM events

False Positives

System administrators running icacls in scheduled tasks or logon scripts to enforce standardized permissions on shared application directories across the fleet
Endpoint security products or DLP agents invoking PowerShell Set-Acl during installation to restrict access to their quarantine or config directories
Windows Server role installation (IIS, SQL Server, AD DS) that temporarily invokes takeown or icacls to reconfigure permissions on service directories

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /^(icacls|cacls|takeown|attrib|powershell|pwsh)\.exe$/i
| CommandLine != null
// Normalise command line for case-insensitive matching
| CmdLower := lower(CommandLine)
// Indicator flags with weights matching risk model
| GrantEveryoneFull := if(CmdLower =~ /everyone:(f|full)/, then=5, else=0)
| RecursivePermChange := if(CmdLower =~ /icacls/ and CmdLower =~ /\/[tT]/ and CmdLower =~ /\/grant/, then=3, else=0)
| AclInheritanceRemoval := if(CmdLower =~ /\/inheritance:[rd]/, then=2, else=0)
| AclReset := if(CmdLower =~ /icacls/ and CmdLower =~ /\/reset/, then=2, else=0)
| TakeownSystem := if(CmdLower =~ /takeown/ and CmdLower =~ /\/f/ and CmdLower =~ /(c:\\windows|c:\\program|system32|\\backup|\\recovery)/, then=3, else=0)
| TakeownRecursive := if(CmdLower =~ /takeown/ and CmdLower =~ /\/r/, then=2, else=0)
| CaclsModify := if(CmdLower =~ /cacls/ and (CmdLower =~ /everyone/ or CmdLower =~ /\/e \/g/ or CmdLower =~ /\/p /), then=2, else=0)
| AttribHide := if(CmdLower =~ /attrib/ and CmdLower =~ /\+h/ and CmdLower =~ /(windows|system32|program files|programdata)/, then=2, else=0)
| PsAclModify := if(CmdLower =~ /(powershell|pwsh)/ and CmdLower =~ /(set-acl|addaccessrule|setaccessrule)/ and CmdLower =~ /(everyone|fullcontrol)/, then=3, else=0)
// Compute total risk score
| RiskScore := GrantEveryoneFull + RecursivePermChange + AclInheritanceRemoval + AclReset + TakeownSystem + TakeownRecursive + CaclsModify + AttribHide + PsAclModify
| where RiskScore > 0
// Enrichment fields
| IsRansomwarePattern := if(GrantEveryoneFull > 0 and (RecursivePermChange > 0 or TakeownRecursive > 0), then="true", else="false")
| IsBackupTargeted := if(CmdLower =~ /(backup|recovery|shadow|vssadmin|wbadmin)/, then="true", else="false")
| IsSystemPathTargeted := if(CmdLower =~ /(c:\\windows|c:\\system32|c:\\program files|c:\\programdata|%systemroot%|%programfiles%)/, then="true", else="false")
// Alert reason — first matching rule wins
| case {
    GrantEveryoneFull > 0 =>
      AlertReason := "ACL grant Everyone full control (ransomware pattern)" ;
    TakeownSystem > 0 =>
      AlertReason := "takeown on system or protected path" ;
    AclInheritanceRemoval > 0 =>
      AlertReason := "ACL inheritance removed" ;
    AclReset > 0 =>
      AlertReason := "icacls /reset on sensitive path" ;
    PsAclModify > 0 =>
      AlertReason := "PowerShell Set-Acl granting excessive rights" ;
    CaclsModify > 0 =>
      AlertReason := "cacls ACL modification" ;
    AttribHide > 0 =>
      AlertReason := "attrib hiding file in system path" ;
    * =>
      AlertReason := "Permission modification tool detected"
  }
| table(
    [timestamp, ComputerName, UserName, FileName, CommandLine,
     ParentBaseFileName, AlertReason, RiskScore,
     IsRansomwarePattern, IsBackupTargeted, IsSystemPathTargeted]
  )
| sort(field=RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor (ProcessRollup2 events) Falcon Data Replicator (FDR) process telemetry CrowdStrike Falcon LogScale / Next-Gen SIEM

Required Tables

ProcessRollup2

False Positives

Falcon RTR (Real Time Response) sessions where security operators run icacls or takeown during active incident response or remediation tasks
Enterprise software deployment platforms (BigFix, Ansible, SCCM) running as SYSTEM that invoke icacls to configure permissions on application directories during installation or update cycles
Windows Server role setup wizards (IIS, MSSQL, AD CS) that call icacls or takeown as part of feature installation to reconfigure service directory permissions

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1222.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Windows File and Directory Permissions Modification

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections