T1222.001 Elastic Security · Elastic

Detect Windows File and Directory Permissions Modification in Elastic Security

Adversaries may modify file or directory permissions on Windows systems using built-in utilities (icacls, cacls, takeown, attrib) or PowerShell ACL cmdlets to bypass access control lists and gain access to protected files. This technique is commonly used by ransomware families (Ryuk, WannaCry, BitPaymer, BlackByte) to take ownership of system files before encryption, by persistence mechanisms preparing hijack targets, and by threat actors (Wizard Spider, Storm-1811) to remove access restrictions on backup and recovery infrastructure. Key patterns include granting Everyone full control (/grant Everyone:F), taking file ownership (takeown /F), resetting ACL inheritance (icacls /reset), and hiding files with attrib +h.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1222 File and Directory Permissions Modification
Sub-technique
T1222.001 Windows File and Directory Permissions Modification
Canonical reference
https://attack.mitre.org/techniques/T1222/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and
process.name in~ ("icacls.exe", "cacls.exe", "takeown.exe", "attrib.exe", "powershell.exe", "pwsh.exe") and
(
  (
    process.name like~ "icacls.exe" and
    (
      process.command_line like~ "*everyone:f*" or
      process.command_line like~ "*everyone:full*" or
      process.command_line like~ "*/grant everyone*" or
      process.command_line like~ "*/inheritance:r*" or
      process.command_line like~ "*/inheritance:d*" or
      (
        process.command_line like~ "*/reset*" and
        (
          process.command_line like~ "*c:\\\\windows*" or
          process.command_line like~ "*c:\\\\system32*" or
          process.command_line like~ "*c:\\\\program files*" or
          process.command_line like~ "*\\\\backup*" or
          process.command_line like~ "*\\\\recovery*"
        )
      ) or
      (
        process.command_line like~ "*/grant*" and
        process.command_line like~ "* /t *" and
        process.command_line like~ "* /c *"
      )
    )
  ) or
  (
    process.name like~ "takeown.exe" and
    process.command_line like~ "* /f *" and
    (
      process.command_line like~ "*c:\\\\windows*" or
      process.command_line like~ "*c:\\\\system32*" or
      process.command_line like~ "*c:\\\\program*" or
      process.command_line like~ "*\\\\backup*" or
      process.command_line like~ "*\\\\recovery*" or
      process.command_line like~ "* /r*" or
      process.command_line like~ "* /a*"
    )
  ) or
  (
    process.name like~ "cacls.exe" and
    (
      process.command_line like~ "*everyone:f*" or
      process.command_line like~ "*/e /g*" or
      process.command_line like~ "*/g everyone*" or
      process.command_line like~ "*/p *"
    )
  ) or
  (
    process.name like~ "attrib.exe" and
    process.command_line like~ "*+h*" and
    (
      process.command_line like~ "*c:\\\\windows*" or
      process.command_line like~ "*c:\\\\system32*" or
      process.command_line like~ "*c:\\\\program files*" or
      process.command_line like~ "*c:\\\\programdata*"
    )
  ) or
  (
    process.name in~ ("powershell.exe", "pwsh.exe") and
    (
      process.command_line like~ "*set-acl*" or
      process.command_line like~ "*setaccessrule*" or
      process.command_line like~ "*addaccessrule*"
    ) and
    (
      process.command_line like~ "*everyone*" or
      process.command_line like~ "*fullcontrol*"
    )
  )
)
high severity high confidence

Detects T1222.001 Windows File and Directory Permissions Modification via icacls, cacls, takeown, attrib, and PowerShell Set-Acl. Covers ransomware-style Everyone:F recursive grants, ACL inheritance removal, system path targeting, backup infrastructure access removal, and file hiding with attrib. Matches Elastic Common Schema process.name and process.command_line fields from Elastic Endpoint or Sysmon via Winlogbeat.

Data Sources

Elastic Endpoint Security (logs-endpoint.events.process-*)Winlogbeat with Sysmon Event ID 1Winlogbeat with Windows Security Event ID 4688

Required Tables

logs-endpoint.events.process-*winlogbeat-*.ds-logs-windows.sysmon_operational-*

False Positives & Tuning

  • IT administrators running icacls in automated provisioning scripts to standardize permissions on shared drives or application directories during OS imaging
  • Software deployment tools such as SCCM, Intune, or Ansible running as SYSTEM that invoke icacls or takeown during package installation or configuration management tasks
  • Backup agents (Veeam, Backup Exec, Windows Server Backup) legitimately taking file ownership of VSS shadow copies or backup staging directories during scheduled backup operations
Download portable Sigma rule (.yml)

Other platforms for T1222.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ryuk/WannaCry Pattern — icacls Grant Everyone Full Control Recursively

    Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:F /T /C /Q'. Security Event ID 4688 (if command line auditing enabled). If object access auditing is enabled on %TEMP%, Security Event ID 4670 (Permissions on an object were changed) with OldSd and NewSd DACL values in SDDL format.

  2. Test 2BitPaymer Pattern — icacls Reset then takeown

    Expected signal: Sysmon Event ID 1: Three sequential process creation events — icacls.exe with '/reset', takeown.exe with '/F', icacls.exe with '/grant'. All three events will have the same parent process (cmd.exe). Security Event ID 4670 for each ACL change if object auditing is enabled.

  3. Test 3Wizard Spider Backup Server Pattern — icacls Full Control on Backup Path

    Expected signal: Sysmon Event ID 1: Two process creation events — icacls.exe with '/grant' recursive flag, and icacls.exe with '/inheritance:r' (remove inherited ACEs). CommandLine for both events visible. Security Event ID 4670 if backup path auditing is configured.

  4. Test 4PowerShell Set-Acl to Grant Everyone Full Control

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FullControl', 'Everyone'. PowerShell ScriptBlock Log Event ID 4104: full script content with FileSystemAccessRule construction and Set-Acl invocation. Security Event ID 4670 if directory auditing is configured.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1222.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1222File and Directory Permissions Modification

Related Sub-techniques

T1222.002Linux and Mac File and Directory Permissions Modification

Related Techniques

T1222File and Directory Permissions ModificationT1222.002Linux and Mac File and Directory Permissions ModificationT1546.008Accessibility FeaturesT1574.001DLLT1574.010Services File Permissions WeaknessT1037Boot or Logon Initialization ScriptsT1070.001Clear Windows Event LogsT1490Inhibit System RecoveryT1486Data Encrypted for ImpactT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections