T1222.001 IBM QRadar · QRadar

Detect Windows File and Directory Permissions Modification in IBM QRadar

Adversaries may modify file or directory permissions on Windows systems using built-in utilities (icacls, cacls, takeown, attrib) or PowerShell ACL cmdlets to bypass access control lists and gain access to protected files. This technique is commonly used by ransomware families (Ryuk, WannaCry, BitPaymer, BlackByte) to take ownership of system files before encryption, by persistence mechanisms preparing hijack targets, and by threat actors (Wizard Spider, Storm-1811) to remove access restrictions on backup and recovery infrastructure. Key patterns include granting Everyone full control (/grant Everyone:F), taking file ownership (takeown /F), resetting ACL inheritance (icacls /reset), and hiding files with attrib +h.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1222 File and Directory Permissions Modification
Sub-technique
T1222.001 Windows File and Directory Permissions Modification
Canonical reference
https://attack.mitre.org/techniques/T1222/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  LOGSOURCETYPENAME(devicetype) AS LogSourceType,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command Line" AS CommandLine,
  "Parent Process Name" AS ParentProcessName,
  QIDNAME(qid) AS EventName,
  sourceip AS HostIP,
  CASE
    WHEN LOWER("Command Line") ILIKE '%everyone:f%' OR LOWER("Command Line") ILIKE '%everyone:full%'
      THEN 'ACL grant Everyone full control (ransomware pattern)'
    WHEN LOWER("Command Line") ILIKE '%/inheritance:r%' OR LOWER("Command Line") ILIKE '%/inheritance:d%'
      THEN 'ACL inheritance removed'
    WHEN LOWER("Command Line") ILIKE '%/reset%'
      THEN 'icacls ACL reset on sensitive path'
    WHEN LOWER("Command Line") ILIKE '%takeown%' AND LOWER("Command Line") ILIKE '%/f%'
      THEN 'takeown on system or protected path'
    WHEN (LOWER("Command Line") ILIKE '%set-acl%' OR LOWER("Command Line") ILIKE '%addaccessrule%' OR LOWER("Command Line") ILIKE '%setaccessrule%')
      THEN 'PowerShell Set-Acl granting excessive permissions'
    WHEN LOWER("Command Line") ILIKE '%attrib%' AND LOWER("Command Line") ILIKE '%+h%'
      THEN 'attrib hiding file in system path'
    ELSE 'Permission modification tool detected'
  END AS AlertReason,
  CASE
    WHEN (LOWER("Command Line") ILIKE '%everyone:f%') AND (LOWER("Command Line") ILIKE '% /t %' OR LOWER("Command Line") ILIKE '% /r%')
      THEN 'true'
    ELSE 'false'
  END AS IsRansomwarePattern,
  CASE
    WHEN LOWER("Command Line") ILIKE '%backup%' OR LOWER("Command Line") ILIKE '%recovery%'
         OR LOWER("Command Line") ILIKE '%shadow%' OR LOWER("Command Line") ILIKE '%vss%'
         OR LOWER("Command Line") ILIKE '%wbadmin%'
      THEN 'true'
    ELSE 'false'
  END AS IsBackupTargeted
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND (
    QIDNAME(qid) ILIKE '%process create%'
    OR QIDNAME(qid) ILIKE '%new process has been created%'
    OR QIDNAME(qid) ILIKE '%ProcessCreate%'
  )
  AND (
    (
      LOWER("Process Name") ILIKE '%icacls.exe'
      AND (
        LOWER("Command Line") ILIKE '%everyone:f%'
        OR LOWER("Command Line") ILIKE '%everyone:full%'
        OR LOWER("Command Line") ILIKE '%/grant everyone%'
        OR LOWER("Command Line") ILIKE '%/inheritance:r%'
        OR LOWER("Command Line") ILIKE '%/inheritance:d%'
        OR (
          LOWER("Command Line") ILIKE '%/reset%'
          AND (
            LOWER("Command Line") ILIKE '%c:\windows%'
            OR LOWER("Command Line") ILIKE '%c:\program%'
            OR LOWER("Command Line") ILIKE '%system32%'
            OR LOWER("Command Line") ILIKE '%\backup%'
            OR LOWER("Command Line") ILIKE '%\recovery%'
          )
        )
      )
    )
    OR (
      LOWER("Process Name") ILIKE '%takeown.exe'
      AND LOWER("Command Line") ILIKE '% /f%'
      AND (
        LOWER("Command Line") ILIKE '%c:\windows%'
        OR LOWER("Command Line") ILIKE '%c:\program%'
        OR LOWER("Command Line") ILIKE '%system32%'
        OR LOWER("Command Line") ILIKE '%\backup%'
        OR LOWER("Command Line") ILIKE '%\recovery%'
        OR LOWER("Command Line") ILIKE '% /r%'
        OR LOWER("Command Line") ILIKE '% /a%'
      )
    )
    OR (
      LOWER("Process Name") ILIKE '%cacls.exe'
      AND (
        LOWER("Command Line") ILIKE '%everyone%'
        OR LOWER("Command Line") ILIKE '%/e /g%'
        OR LOWER("Command Line") ILIKE '%/p %'
      )
    )
    OR (
      LOWER("Process Name") ILIKE '%attrib.exe'
      AND LOWER("Command Line") ILIKE '%+h%'
      AND (
        LOWER("Command Line") ILIKE '%windows%'
        OR LOWER("Command Line") ILIKE '%system32%'
        OR LOWER("Command Line") ILIKE '%program%'
      )
    )
    OR (
      (
        LOWER("Process Name") ILIKE '%powershell.exe'
        OR LOWER("Process Name") ILIKE '%pwsh.exe'
      )
      AND (
        LOWER("Command Line") ILIKE '%set-acl%'
        OR LOWER("Command Line") ILIKE '%addaccessrule%'
        OR LOWER("Command Line") ILIKE '%setaccessrule%'
      )
      AND (
        LOWER("Command Line") ILIKE '%everyone%'
        OR LOWER("Command Line") ILIKE '%fullcontrol%'
      )
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC
high severity medium confidence

Detects T1222.001 Windows File and Directory Permissions Modification via icacls, cacls, takeown, attrib, and PowerShell Set-Acl. Uses QRadar AQL against Windows Security Event Log (EID 4688) and Sysmon (EID 1) process creation records. Identifies ransomware-pattern ACL grants, system path ownership takeover, inheritance removal, and backup infrastructure targeting. Requires 'Process Name' and 'Command Line' custom properties extracted by the DSM.

Data Sources

QRadar DSM: Microsoft Windows Security Event Log (Event ID 4688)QRadar DSM: Microsoft Sysmon (Event ID 1 ProcessCreate)QRadar Log Source Type: Microsoft Windows

Required Tables

events

False Positives & Tuning

  • Automated patch management or software deployment systems (SCCM, PDQ Deploy, Ansible) resetting ACLs on application directories during software installation routines
  • Active Directory Group Policy scripts invoking icacls to enforce standardized folder permissions as part of logon or startup policy application
  • Backup agents (Veeam, Commvault, Windows Server Backup) legitimately using takeown to access shadow copies or locked files during backup windows
Download portable Sigma rule (.yml)

Other platforms for T1222.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Ryuk/WannaCry Pattern — icacls Grant Everyone Full Control Recursively

    Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:F /T /C /Q'. Security Event ID 4688 (if command line auditing enabled). If object access auditing is enabled on %TEMP%, Security Event ID 4670 (Permissions on an object were changed) with OldSd and NewSd DACL values in SDDL format.

  2. Test 2BitPaymer Pattern — icacls Reset then takeown

    Expected signal: Sysmon Event ID 1: Three sequential process creation events — icacls.exe with '/reset', takeown.exe with '/F', icacls.exe with '/grant'. All three events will have the same parent process (cmd.exe). Security Event ID 4670 for each ACL change if object auditing is enabled.

  3. Test 3Wizard Spider Backup Server Pattern — icacls Full Control on Backup Path

    Expected signal: Sysmon Event ID 1: Two process creation events — icacls.exe with '/grant' recursive flag, and icacls.exe with '/inheritance:r' (remove inherited ACEs). CommandLine for both events visible. Security Event ID 4670 if backup path auditing is configured.

  4. Test 4PowerShell Set-Acl to Grant Everyone Full Control

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FullControl', 'Everyone'. PowerShell ScriptBlock Log Event ID 4104: full script content with FileSystemAccessRule construction and Set-Acl invocation. Security Event ID 4670 if directory auditing is configured.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1222.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1222File and Directory Permissions Modification

Related Sub-techniques

T1222.002Linux and Mac File and Directory Permissions Modification

Related Techniques

T1222File and Directory Permissions ModificationT1222.002Linux and Mac File and Directory Permissions ModificationT1546.008Accessibility FeaturesT1574.001DLLT1574.010Services File Permissions WeaknessT1037Boot or Logon Initialization ScriptsT1070.001Clear Windows Event LogsT1490Inhibit System RecoveryT1486Data Encrypted for ImpactT1059.001PowerShell

Same Tactic: Defense Evasion

Popular Detections