Detect Windows File and Directory Permissions Modification in Splunk
Adversaries may modify file or directory permissions on Windows systems using built-in utilities (icacls, cacls, takeown, attrib) or PowerShell ACL cmdlets to bypass access control lists and gain access to protected files. This technique is commonly used by ransomware families (Ryuk, WannaCry, BitPaymer, BlackByte) to take ownership of system files before encryption, by persistence mechanisms preparing hijack targets, and by threat actors (Wizard Spider, Storm-1811) to remove access restrictions on backup and recovery infrastructure. Key patterns include granting Everyone full control (/grant Everyone:F), taking file ownership (takeown /F), resetting ACL inheritance (icacls /reset), and hiding files with attrib +h.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1222.001 Windows File and Directory Permissions Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1222/001/
SPL Detection Query
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval ProcessName=lower(mvindex(split(Image, "\\"), -1))
| where ProcessName IN ("icacls.exe", "cacls.exe", "takeown.exe", "attrib.exe", "powershell.exe", "pwsh.exe")
| eval CmdLower=lower(CommandLine)
| eval GrantEveryoneFull=if(match(CmdLower, "everyone:f") OR match(CmdLower, "everyone:full"), 1, 0)
| eval RecursivePermChange=if(match(CmdLower, "icacls") AND match(CmdLower, "\\/(t|T)") AND match(CmdLower, "\\/(g|G)rant"), 1, 0)
| eval AclInheritanceRemoval=if(match(CmdLower, "\/inheritance:[rd]"), 1, 0)
| eval AclReset=if(match(CmdLower, "icacls") AND match(CmdLower, "\/reset"), 1, 0)
| eval TakeownSystem=if(match(CmdLower, "takeown") AND match(CmdLower, "\/f") AND (match(CmdLower, "c:\\\\windows") OR match(CmdLower, "c:\\\\program") OR match(CmdLower, "system32") OR match(CmdLower, "backup") OR match(CmdLower, "recovery")), 1, 0)
| eval TakeownRecursive=if(match(CmdLower, "takeown") AND match(CmdLower, "\/r"), 1, 0)
| eval CaclsModify=if(match(CmdLower, "cacls") AND (match(CmdLower, "\/e \/g") OR match(CmdLower, "everyone") OR match(CmdLower, "\/p ")), 1, 0)
| eval AttribHide=if(match(CmdLower, "attrib") AND match(CmdLower, "\+h") AND (match(CmdLower, "windows") OR match(CmdLower, "system32") OR match(CmdLower, "program")), 1, 0)
| eval PsAclModify=if((ProcessName="powershell.exe" OR ProcessName="pwsh.exe") AND match(CmdLower, "set-acl|addaccessrule|setaccessrule") AND (match(CmdLower, "everyone") OR match(CmdLower, "fullcontrol")), 1, 0)
| eval RiskScore=GrantEveryoneFull*5 + RecursivePermChange*3 + AclInheritanceRemoval*2 + AclReset*2 + TakeownSystem*3 + TakeownRecursive*2 + CaclsModify*2 + AttribHide*2 + PsAclModify*3
| where RiskScore > 0
| eval IsRansomwarePattern=if(GrantEveryoneFull=1 AND (RecursivePermChange=1 OR TakeownRecursive=1), "true", "false")
| eval IsBackupTargeted=if(match(CmdLower, "backup|recovery|vssadmin|shadow|wbadmin"), "true", "false")
| eval AlertReason=case(
GrantEveryoneFull=1, "ACL grant Everyone full control (ransomware pattern)",
TakeownSystem=1, "takeown on system/protected path",
AclInheritanceRemoval=1, "ACL inheritance removed",
AclReset=1, "icacls /reset on sensitive path",
PsAclModify=1, "PowerShell Set-Acl granting excessive rights",
CaclsModify=1, "cacls ACL modification",
AttribHide=1, "attrib hiding file in system path",
1=1, "Permission modification tool detected"
)
| table _time, host, user, Image, CommandLine, ParentImage, AlertReason, RiskScore, IsRansomwarePattern, IsBackupTargeted, GrantEveryoneFull, RecursivePermChange, TakeownSystem, AclInheritanceRemoval, PsAclModify
| sort - RiskScore, - _timeDetects Windows file and directory permission modification using icacls, cacls, takeown, attrib, and PowerShell ACL cmdlets via Sysmon Event ID 1 or Security Event ID 4688 (process creation with command line auditing). Evaluates nine behavioral indicators with a weighted risk scoring model: granting Everyone full control scores highest (5 points, ransomware hallmark), recursive takeown and PowerShell ACL grants score 3 points each, inheritance removal and icacls reset score 2 points. Results include IsRansomwarePattern and IsBackupTargeted enrichment fields to prioritize the most critical alerts. Covers all known ransomware families documented in MITRE CTI: Ryuk, WannaCry, BitPaymer, BlackByte, WastedLocker, CaddyWiper.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Software installation packages that use icacls to set permissions on their own application directories during setup
- System administrators using takeown and icacls to recover access to accidentally locked files or directories
- IT automation tools (SCCM, Ansible, Puppet) enforcing standardized permission baselines
- Backup software agents modifying ACLs on their own installation and data directories
- Vulnerability remediation scripts resetting over-permissive ACLs on shared directories
Other platforms for T1222.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Ryuk/WannaCry Pattern — icacls Grant Everyone Full Control Recursively
Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:F /T /C /Q'. Security Event ID 4688 (if command line auditing enabled). If object access auditing is enabled on %TEMP%, Security Event ID 4670 (Permissions on an object were changed) with OldSd and NewSd DACL values in SDDL format.
- Test 2BitPaymer Pattern — icacls Reset then takeown
Expected signal: Sysmon Event ID 1: Three sequential process creation events — icacls.exe with '/reset', takeown.exe with '/F', icacls.exe with '/grant'. All three events will have the same parent process (cmd.exe). Security Event ID 4670 for each ACL change if object auditing is enabled.
- Test 3Wizard Spider Backup Server Pattern — icacls Full Control on Backup Path
Expected signal: Sysmon Event ID 1: Two process creation events — icacls.exe with '/grant' recursive flag, and icacls.exe with '/inheritance:r' (remove inherited ACEs). CommandLine for both events visible. Security Event ID 4670 if backup path auditing is configured.
- Test 4PowerShell Set-Acl to Grant Everyone Full Control
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FullControl', 'Everyone'. PowerShell ScriptBlock Log Event ID 4104: full script content with FileSystemAccessRule construction and Set-Acl invocation. Security Event ID 4670 if directory auditing is configured.
References (12)
- https://attack.mitre.org/techniques/T1222/001/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
- https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces
- https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/
- https://www.crowdstrike.com/blog/indrik-spider-supersized-evil-corp-upgrades-dridex-payload-wasted-locker/
- https://www.logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/
- https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
- https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-refreshes-payload/
Unlock Pro Content
Get the full detection package for T1222.001 including response playbook, investigation guide, and atomic red team tests.