T1222.001 Google Chronicle · YARA-L

Detect Windows File and Directory Permissions Modification in Google Chronicle

Adversaries may modify file or directory permissions on Windows systems using built-in utilities (icacls, cacls, takeown, attrib) or PowerShell ACL cmdlets to bypass access control lists and gain access to protected files. This technique is commonly used by ransomware families (Ryuk, WannaCry, BitPaymer, BlackByte) to take ownership of system files before encryption, by persistence mechanisms preparing hijack targets, and by threat actors (Wizard Spider, Storm-1811) to remove access restrictions on backup and recovery infrastructure. Key patterns include granting Everyone full control (/grant Everyone:F), taking file ownership (takeown /F), resetting ACL inheritance (icacls /reset), and hiding files with attrib +h.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1222 File and Directory Permissions Modification
Sub-technique
T1222.001 Windows File and Directory Permissions Modification
Canonical reference
https://attack.mitre.org/techniques/T1222/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1222_001_windows_permission_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects T1222.001 Windows File and Directory Permissions Modification via icacls, cacls, takeown, attrib, and PowerShell Set-Acl. Covers ransomware-pattern Everyone full-control grants, ACL inheritance removal, system path ownership takeover, and backup infrastructure targeting."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1222.001"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1222/001/"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "IT provisioning scripts, software deployment tools, backup agents"
    version = "1"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.file.full_path != ""
    (
      // icacls: Everyone full control, inheritance removal, bulk recursive grant, or reset on sensitive paths
      (
        re.regex($e.target.process.file.full_path, `(?i)\\icacls\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)everyone:(f|full)`) or
          re.regex($e.target.process.command_line, `(?i)/grant\s+everyone`) or
          re.regex($e.target.process.command_line, `(?i)/inheritance:[rd]`) or
          (
            re.regex($e.target.process.command_line, `(?i)/reset`) and
            re.regex($e.target.process.command_line, `(?i)(c:\\windows|c:\\system32|c:\\program files|c:\\programdata|\\backup\\|\\recovery\\)`)
          ) or
          (
            re.regex($e.target.process.command_line, `(?i)/grant`) and
            re.regex($e.target.process.command_line, `(?i)\s/[tT]\s`) and
            re.regex($e.target.process.command_line, `(?i)\s/[cC]\s`)
          )
        )
      ) or
      // takeown: system path ownership or recursive takeover
      (
        re.regex($e.target.process.file.full_path, `(?i)\\takeown\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\s/[fF]\s`) and
        (
          re.regex($e.target.process.command_line, `(?i)(c:\\windows|c:\\system32|c:\\program|c:\\programdata|\\backup|\\recovery)`) or
          re.regex($e.target.process.command_line, `(?i)\s/[rR]\b`) or
          re.regex($e.target.process.command_line, `(?i)\s/[aA]\b`)
        )
      ) or
      // cacls: ACL modification
      (
        re.regex($e.target.process.file.full_path, `(?i)\\cacls\.exe$`) and
        (
          re.regex($e.target.process.command_line, `(?i)everyone`) or
          re.regex($e.target.process.command_line, `(?i)/[eE]\s+/[gG]`) or
          re.regex($e.target.process.command_line, `(?i)/[pP]\s`)
        )
      ) or
      // attrib: hiding files in sensitive system paths
      (
        re.regex($e.target.process.file.full_path, `(?i)\\attrib\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)\+[hH]`) and
        re.regex($e.target.process.command_line, `(?i)(c:\\windows|c:\\system32|c:\\program files|c:\\programdata)`)
      ) or
      // PowerShell: Set-Acl granting Everyone full control
      (
        re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)(set-acl|setaccessrule|addaccessrule)`) and
        re.regex($e.target.process.command_line, `(?i)(everyone|fullcontrol)`)
      )
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.target.process.command_line, `(?i)everyone:(f|full)`), 5, 0) +
      if(re.regex($e.target.process.command_line, `(?i)/inheritance:[rd]`), 2, 0) +
      if(re.regex($e.target.process.command_line, `(?i)/reset`), 2, 0) +
      if(re.regex($e.target.process.file.full_path, `(?i)\\takeown\.exe$`) and re.regex($e.target.process.command_line, `(?i)(c:\\windows|c:\\system32|c:\\program|\\backup|\\recovery)`), 3, 0) +
      if(re.regex($e.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`) and re.regex($e.target.process.command_line, `(?i)(set-acl|addaccessrule)`), 3, 0)
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.src.process.file.full_path
    $is_ransomware_pattern = if(
      re.regex($e.target.process.command_line, `(?i)everyone:(f|full)`) and
      re.regex($e.target.process.command_line, `(?i)(\s/[tT]\s|\s/[rR]\b)`),
      "true", "false"
    )
    $is_backup_targeted = if(
      re.regex($e.target.process.command_line, `(?i)(backup|recovery|shadow|vssadmin|wbadmin)`),
      "true", "false"
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 detection rule for T1222.001 Windows File and Directory Permissions Modification. Monitors UDM PROCESS_LAUNCH events for icacls, cacls, takeown, attrib, and PowerShell Set-Acl invocations with suspicious arguments. Risk outcome scoring reflects attack severity. Detects ransomware pre-encryption ACL manipulation, backup infrastructure targeting (Ryuk/WannaCry/BitPaymer patterns), and adversary attempts to remove access restrictions on recovery infrastructure.

Data Sources

Google Chronicle UDM PROCESS_LAUNCH eventsWindows Endpoint telemetry via Chronicle Forwarder (Sysmon or EDR)Microsoft Defender for Endpoint via Chronicle integration

Required Tables

PROCESS_LAUNCH UDM events

False Positives & Tuning

  • System administrators running icacls in scheduled tasks or logon scripts to enforce standardized permissions on shared application directories across the fleet
  • Endpoint security products or DLP agents invoking PowerShell Set-Acl during installation to restrict access to their quarantine or config directories
  • Windows Server role installation (IIS, SQL Server, AD DS) that temporarily invokes takeown or icacls to reconfigure permissions on service directories
Download portable Sigma rule (.yml)

Other platforms for T1222.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ryuk/WannaCry Pattern — icacls Grant Everyone Full Control Recursively

    Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:F /T /C /Q'. Security Event ID 4688 (if command line auditing enabled). If object access auditing is enabled on %TEMP%, Security Event ID 4670 (Permissions on an object were changed) with OldSd and NewSd DACL values in SDDL format.

  2. Test 2BitPaymer Pattern — icacls Reset then takeown

    Expected signal: Sysmon Event ID 1: Three sequential process creation events — icacls.exe with '/reset', takeown.exe with '/F', icacls.exe with '/grant'. All three events will have the same parent process (cmd.exe). Security Event ID 4670 for each ACL change if object auditing is enabled.

  3. Test 3Wizard Spider Backup Server Pattern — icacls Full Control on Backup Path

    Expected signal: Sysmon Event ID 1: Two process creation events — icacls.exe with '/grant' recursive flag, and icacls.exe with '/inheritance:r' (remove inherited ACEs). CommandLine for both events visible. Security Event ID 4670 if backup path auditing is configured.

  4. Test 4PowerShell Set-Acl to Grant Everyone Full Control

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FullControl', 'Everyone'. PowerShell ScriptBlock Log Event ID 4104: full script content with FileSystemAccessRule construction and Set-Acl invocation. Security Event ID 4670 if directory auditing is configured.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1222.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1222File and Directory Permissions Modification

Related Sub-techniques

T1222.002Linux and Mac File and Directory Permissions Modification

Related Techniques

T1222File and Directory Permissions ModificationT1222.002Linux and Mac File and Directory Permissions ModificationT1546.008Accessibility FeaturesT1574.001DLLT1574.010Services File Permissions WeaknessT1037Boot or Logon Initialization ScriptsT1070.001Clear Windows Event LogsT1490Inhibit System RecoveryT1486Data Encrypted for ImpactT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections