Detect Windows File and Directory Permissions Modification in Microsoft Sentinel
Adversaries may modify file or directory permissions on Windows systems using built-in utilities (icacls, cacls, takeown, attrib) or PowerShell ACL cmdlets to bypass access control lists and gain access to protected files. This technique is commonly used by ransomware families (Ryuk, WannaCry, BitPaymer, BlackByte) to take ownership of system files before encryption, by persistence mechanisms preparing hijack targets, and by threat actors (Wizard Spider, Storm-1811) to remove access restrictions on backup and recovery infrastructure. Key patterns include granting Everyone full control (/grant Everyone:F), taking file ownership (takeown /F), resetting ACL inheritance (icacls /reset), and hiding files with attrib +h.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1222.001 Windows File and Directory Permissions Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1222/001/
KQL Detection Query
let SuspiciousIcaclsArgs = dynamic([
"Everyone:F", "everyone:f",
"/grant Everyone", "/grant everyone",
"/T /C /Q", "/t /c /q",
"/inheritance:r", "/inheritance:d",
"/reset"
]);
let SuspiciousSystemPaths = dynamic([
"C:\\Windows\\", "C:\\System32\\", "C:\\Program Files\\",
"C:\\ProgramData\\", "\\Backup\\", "\\Recovery\\",
"C:\\Users\\", "%SystemRoot%", "%ProgramFiles%"
]);
// Branch 1: icacls granting Everyone full control or manipulating inheritance
let IcaclsSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "icacls.exe"
| where ProcessCommandLine has_any (SuspiciousIcaclsArgs)
| extend AlertReason = case(
ProcessCommandLine has_any ("Everyone:F", "everyone:f"), "icacls granting Everyone full control",
ProcessCommandLine has "/inheritance:r", "icacls removing ACL inheritance",
ProcessCommandLine has "/reset" and ProcessCommandLine has_any (SuspiciousSystemPaths), "icacls resetting ACL on system path",
ProcessCommandLine has "/grant" and ProcessCommandLine has_any ("/T", "/C", "/Q"), "icacls bulk recursive permission grant",
"icacls suspicious argument"
);
// Branch 2: takeown taking ownership of system files
let TakeownSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "takeown.exe"
| where ProcessCommandLine has "/F"
| where ProcessCommandLine has_any (SuspiciousSystemPaths)
or ProcessCommandLine has "/A" // takeown for Administrators group
or ProcessCommandLine has "/R" // recursive
| extend AlertReason = case(
ProcessCommandLine has_any (SuspiciousSystemPaths), "takeown on protected system path",
ProcessCommandLine has "/R", "takeown recursive on directory",
"takeown suspicious usage"
);
// Branch 3: cacls modifying permissions
let CaclsSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cacls.exe"
| where ProcessCommandLine has_any ("/E /G", "/G Everyone", "/g everyone", "/P", "Everyone:F")
| extend AlertReason = "cacls modifying ACL permissions";
// Branch 4: attrib hiding files or removing system/read-only on sensitive paths
let AttribSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "attrib.exe"
| where (ProcessCommandLine has "+h" or ProcessCommandLine has "+s")
and ProcessCommandLine has_any (SuspiciousSystemPaths)
| extend AlertReason = "attrib hiding/system-flagging file in sensitive path";
// Branch 5: PowerShell Set-Acl granting Everyone full control
let PsAclSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Set-Acl", "SetAccessRule", "AddAccessRule")
and ProcessCommandLine has_any ("Everyone", "FullControl", "Allow")
| extend AlertReason = "PowerShell Set-Acl granting excessive permissions";
union IcaclsSuspicious, TakeownSuspicious, CaclsSuspicious, AttribSuspicious, PsAclSuspicious
| extend IsRansomwarePattern = ProcessCommandLine has_any ("Everyone:F", "everyone:f") and (ProcessCommandLine has "/T" or ProcessCommandLine has "/R")
| extend IsBackupTargeting = ProcessCommandLine has_any ("Backup", "backup", "Recovery", "recovery", "vss", "VSS", "shadow", "Shadow")
| extend IsSystemPathTargeted = ProcessCommandLine has_any (SuspiciousSystemPaths)
| project Timestamp, DeviceName, AccountName, AccountDomain, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName,
AlertReason, IsRansomwarePattern, IsBackupTargeting, IsSystemPathTargeted
| sort by Timestamp descDetects suspicious Windows file and directory permission modifications using icacls, cacls, takeown, attrib, and PowerShell Set-Acl. Five detection branches cover the most common adversary patterns: (1) icacls granting Everyone full control or manipulating ACL inheritance — a hallmark of Ryuk, WannaCry, and BlackByte ransomware; (2) takeown.exe taking ownership of protected system paths, commonly preceding ransomware encryption or hijack execution flow; (3) cacls modifying permissions on legacy systems; (4) attrib hiding/flagging files in system paths; (5) PowerShell Set-Acl granting excessive permissions. Enrichment flags identify ransomware-specific patterns (Everyone:F with recursive /T flag) and backup infrastructure targeting.
Data Sources
Required Tables
False Positives & Tuning
- Software installation packages that use icacls to set permissions on their own application directories during setup (e.g., MSI installers, third-party applications)
- System administrators using takeown and icacls to recover access to accidentally locked files or directories
- IT automation tools (SCCM, Ansible, Puppet) using PowerShell Set-Acl or icacls to enforce standardized permission baselines across managed endpoints
- Backup software agents that modify ACLs on their own installation and data directories
- Vulnerability remediation scripts that reset over-permissive ACLs on shared directories
Other platforms for T1222.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Ryuk/WannaCry Pattern — icacls Grant Everyone Full Control Recursively
Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:F /T /C /Q'. Security Event ID 4688 (if command line auditing enabled). If object access auditing is enabled on %TEMP%, Security Event ID 4670 (Permissions on an object were changed) with OldSd and NewSd DACL values in SDDL format.
- Test 2BitPaymer Pattern — icacls Reset then takeown
Expected signal: Sysmon Event ID 1: Three sequential process creation events — icacls.exe with '/reset', takeown.exe with '/F', icacls.exe with '/grant'. All three events will have the same parent process (cmd.exe). Security Event ID 4670 for each ACL change if object auditing is enabled.
- Test 3Wizard Spider Backup Server Pattern — icacls Full Control on Backup Path
Expected signal: Sysmon Event ID 1: Two process creation events — icacls.exe with '/grant' recursive flag, and icacls.exe with '/inheritance:r' (remove inherited ACEs). CommandLine for both events visible. Security Event ID 4670 if backup path auditing is configured.
- Test 4PowerShell Set-Acl to Grant Everyone Full Control
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FullControl', 'Everyone'. PowerShell ScriptBlock Log Event ID 4104: full script content with FileSystemAccessRule construction and Set-Acl invocation. Security Event ID 4670 if directory auditing is configured.
References (12)
- https://attack.mitre.org/techniques/T1222/001/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
- https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces
- https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/
- https://www.crowdstrike.com/blog/indrik-spider-supersized-evil-corp-upgrades-dridex-payload-wasted-locker/
- https://www.logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/
- https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
- https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-refreshes-payload/
Unlock Pro Content
Get the full detection package for T1222.001 including response playbook, investigation guide, and atomic red team tests.