Detect Windows File and Directory Permissions Modification in CrowdStrike LogScale
Adversaries may modify file or directory permissions on Windows systems using built-in utilities (icacls, cacls, takeown, attrib) or PowerShell ACL cmdlets to bypass access control lists and gain access to protected files. This technique is commonly used by ransomware families (Ryuk, WannaCry, BitPaymer, BlackByte) to take ownership of system files before encryption, by persistence mechanisms preparing hijack targets, and by threat actors (Wizard Spider, Storm-1811) to remove access restrictions on backup and recovery infrastructure. Key patterns include granting Everyone full control (/grant Everyone:F), taking file ownership (takeown /F), resetting ACL inheritance (icacls /reset), and hiding files with attrib +h.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1222.001 Windows File and Directory Permissions Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1222/001/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| FileName = /^(icacls|cacls|takeown|attrib|powershell|pwsh)\.exe$/i
| CommandLine != null
// Normalise command line for case-insensitive matching
| CmdLower := lower(CommandLine)
// Indicator flags with weights matching risk model
| GrantEveryoneFull := if(CmdLower =~ /everyone:(f|full)/, then=5, else=0)
| RecursivePermChange := if(CmdLower =~ /icacls/ and CmdLower =~ /\/[tT]/ and CmdLower =~ /\/grant/, then=3, else=0)
| AclInheritanceRemoval := if(CmdLower =~ /\/inheritance:[rd]/, then=2, else=0)
| AclReset := if(CmdLower =~ /icacls/ and CmdLower =~ /\/reset/, then=2, else=0)
| TakeownSystem := if(CmdLower =~ /takeown/ and CmdLower =~ /\/f/ and CmdLower =~ /(c:\\windows|c:\\program|system32|\\backup|\\recovery)/, then=3, else=0)
| TakeownRecursive := if(CmdLower =~ /takeown/ and CmdLower =~ /\/r/, then=2, else=0)
| CaclsModify := if(CmdLower =~ /cacls/ and (CmdLower =~ /everyone/ or CmdLower =~ /\/e \/g/ or CmdLower =~ /\/p /), then=2, else=0)
| AttribHide := if(CmdLower =~ /attrib/ and CmdLower =~ /\+h/ and CmdLower =~ /(windows|system32|program files|programdata)/, then=2, else=0)
| PsAclModify := if(CmdLower =~ /(powershell|pwsh)/ and CmdLower =~ /(set-acl|addaccessrule|setaccessrule)/ and CmdLower =~ /(everyone|fullcontrol)/, then=3, else=0)
// Compute total risk score
| RiskScore := GrantEveryoneFull + RecursivePermChange + AclInheritanceRemoval + AclReset + TakeownSystem + TakeownRecursive + CaclsModify + AttribHide + PsAclModify
| where RiskScore > 0
// Enrichment fields
| IsRansomwarePattern := if(GrantEveryoneFull > 0 and (RecursivePermChange > 0 or TakeownRecursive > 0), then="true", else="false")
| IsBackupTargeted := if(CmdLower =~ /(backup|recovery|shadow|vssadmin|wbadmin)/, then="true", else="false")
| IsSystemPathTargeted := if(CmdLower =~ /(c:\\windows|c:\\system32|c:\\program files|c:\\programdata|%systemroot%|%programfiles%)/, then="true", else="false")
// Alert reason — first matching rule wins
| case {
GrantEveryoneFull > 0 =>
AlertReason := "ACL grant Everyone full control (ransomware pattern)" ;
TakeownSystem > 0 =>
AlertReason := "takeown on system or protected path" ;
AclInheritanceRemoval > 0 =>
AlertReason := "ACL inheritance removed" ;
AclReset > 0 =>
AlertReason := "icacls /reset on sensitive path" ;
PsAclModify > 0 =>
AlertReason := "PowerShell Set-Acl granting excessive rights" ;
CaclsModify > 0 =>
AlertReason := "cacls ACL modification" ;
AttribHide > 0 =>
AlertReason := "attrib hiding file in system path" ;
* =>
AlertReason := "Permission modification tool detected"
}
| table(
[timestamp, ComputerName, UserName, FileName, CommandLine,
ParentBaseFileName, AlertReason, RiskScore,
IsRansomwarePattern, IsBackupTargeted, IsSystemPathTargeted]
)
| sort(field=RiskScore, order=desc)CrowdStrike Falcon LogScale detection for T1222.001 Windows File and Directory Permissions Modification using ProcessRollup2 sensor telemetry. Risk-scored across nine indicator categories. Detects icacls, cacls, takeown, attrib, and PowerShell Set-Acl abuse patterns consistent with ransomware pre-encryption staging (Ryuk, WannaCry, BitPaymer, BlackByte), backup infrastructure access removal, and adversary privilege acquisition via ACL manipulation.
Data Sources
Required Tables
False Positives & Tuning
- Falcon RTR (Real Time Response) sessions where security operators run icacls or takeown during active incident response or remediation tasks
- Enterprise software deployment platforms (BigFix, Ansible, SCCM) running as SYSTEM that invoke icacls to configure permissions on application directories during installation or update cycles
- Windows Server role setup wizards (IIS, MSSQL, AD CS) that call icacls or takeown as part of feature installation to reconfigure service directory permissions
Other platforms for T1222.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Ryuk/WannaCry Pattern — icacls Grant Everyone Full Control Recursively
Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:F /T /C /Q'. Security Event ID 4688 (if command line auditing enabled). If object access auditing is enabled on %TEMP%, Security Event ID 4670 (Permissions on an object were changed) with OldSd and NewSd DACL values in SDDL format.
- Test 2BitPaymer Pattern — icacls Reset then takeown
Expected signal: Sysmon Event ID 1: Three sequential process creation events — icacls.exe with '/reset', takeown.exe with '/F', icacls.exe with '/grant'. All three events will have the same parent process (cmd.exe). Security Event ID 4670 for each ACL change if object auditing is enabled.
- Test 3Wizard Spider Backup Server Pattern — icacls Full Control on Backup Path
Expected signal: Sysmon Event ID 1: Two process creation events — icacls.exe with '/grant' recursive flag, and icacls.exe with '/inheritance:r' (remove inherited ACEs). CommandLine for both events visible. Security Event ID 4670 if backup path auditing is configured.
- Test 4PowerShell Set-Acl to Grant Everyone Full Control
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FullControl', 'Everyone'. PowerShell ScriptBlock Log Event ID 4104: full script content with FileSystemAccessRule construction and Set-Acl invocation. Security Event ID 4670 if directory auditing is configured.
References (12)
- https://attack.mitre.org/techniques/T1222/001/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
- https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces
- https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/
- https://www.crowdstrike.com/blog/indrik-spider-supersized-evil-corp-upgrades-dridex-payload-wasted-locker/
- https://www.logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/
- https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
- https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-refreshes-payload/
Unlock Pro Content
Get the full detection package for T1222.001 including response playbook, investigation guide, and atomic red team tests.