Detect Windows File and Directory Permissions Modification in Sumo Logic CSE
Adversaries may modify file or directory permissions on Windows systems using built-in utilities (icacls, cacls, takeown, attrib) or PowerShell ACL cmdlets to bypass access control lists and gain access to protected files. This technique is commonly used by ransomware families (Ryuk, WannaCry, BitPaymer, BlackByte) to take ownership of system files before encryption, by persistence mechanisms preparing hijack targets, and by threat actors (Wizard Spider, Storm-1811) to remove access restrictions on backup and recovery infrastructure. Key patterns include granting Everyone full control (/grant Everyone:F), taking file ownership (takeown /F), resetting ACL inheritance (icacls /reset), and hiding files with attrib +h.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1222.001 Windows File and Directory Permissions Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1222/001/
Sumo Detection Query
(_sourceCategory="*windows*" OR _sourceCategory="*sysmon*" OR _sourceCategory="*WinEventLog*")
| where EventID in ("4688", "1")
// Extract fields from Security Event 4688
| parse field=Message "New Process Name:\t*\r" as SecurityProcessName nodrop
| parse field=Message "Process Command Line:\t*\r" as SecurityCommandLine nodrop
// Extract fields from Sysmon Event 1
| parse field=Message "Image: *\r" as SysmonImage nodrop
| parse field=Message "CommandLine: *\r" as SysmonCommandLine nodrop
| parse field=Message "ParentImage: *\r" as ParentImage nodrop
// Normalise across both sources
| eval ProcessName = if(!isBlank(SecurityProcessName), SecurityProcessName, SysmonImage)
| eval CommandLine = if(!isBlank(SecurityCommandLine), SecurityCommandLine, SysmonCommandLine)
| where !isBlank(ProcessName) and !isBlank(CommandLine)
| eval CmdLower = toLowerCase(CommandLine)
| eval ProcLower = toLowerCase(ProcessName)
| eval ProcessExe = replace(ProcLower, /^.*[\\]/, "")
| where ProcessExe in ("icacls.exe", "cacls.exe", "takeown.exe", "attrib.exe", "powershell.exe", "pwsh.exe")
// Indicator flags
| eval GrantEveryoneFull = if(matches(CmdLower, ".*everyone:(f|full).*"), 1, 0)
| eval RecursivePermChange = if(matches(CmdLower, ".*icacls.*") and matches(CmdLower, ".*/[t].*") and matches(CmdLower, ".*/grant.*"), 1, 0)
| eval AclInheritanceRemoval = if(matches(CmdLower, ".*/inheritance:[rd].*"), 1, 0)
| eval AclReset = if(matches(CmdLower, ".*icacls.*") and matches(CmdLower, ".*/reset.*"), 1, 0)
| eval TakeownSystem = if(matches(CmdLower, ".*takeown.*") and matches(CmdLower, ".*/f.*") and (matches(CmdLower, ".*c:\\\\windows.*") or matches(CmdLower, ".*system32.*") or matches(CmdLower, ".*c:\\\\program.*") or matches(CmdLower, ".*backup.*") or matches(CmdLower, ".*recovery.*")), 1, 0)
| eval TakeownRecursive = if(matches(CmdLower, ".*takeown.*") and matches(CmdLower, ".*/r.*"), 1, 0)
| eval CaclsModify = if(ProcessExe == "cacls.exe" and (matches(CmdLower, ".*everyone.*") or matches(CmdLower, ".*/e /g.*") or matches(CmdLower, ".*/p .*")), 1, 0)
| eval AttribHide = if(ProcessExe == "attrib.exe" and matches(CmdLower, ".*\\+h.*") and (matches(CmdLower, ".*windows.*") or matches(CmdLower, ".*system32.*") or matches(CmdLower, ".*program.*")), 1, 0)
| eval PsAclModify = if((ProcessExe == "powershell.exe" or ProcessExe == "pwsh.exe") and (matches(CmdLower, ".*set-acl.*") or matches(CmdLower, ".*addaccessrule.*") or matches(CmdLower, ".*setaccessrule.*")) and (matches(CmdLower, ".*everyone.*") or matches(CmdLower, ".*fullcontrol.*")), 1, 0)
// Risk scoring
| eval RiskScore = GrantEveryoneFull * 5 + RecursivePermChange * 3 + AclInheritanceRemoval * 2 + AclReset * 2 + TakeownSystem * 3 + TakeownRecursive * 2 + CaclsModify * 2 + AttribHide * 2 + PsAclModify * 3
| where RiskScore > 0
| eval IsRansomwarePattern = if(GrantEveryoneFull == 1 and (RecursivePermChange == 1 or TakeownRecursive == 1), "true", "false")
| eval IsBackupTargeted = if(matches(CmdLower, ".*(backup|recovery|shadow|vssadmin|wbadmin).*"), "true", "false")
| eval AlertReason = if(GrantEveryoneFull == 1, "ACL grant Everyone full control (ransomware pattern)",
if(TakeownSystem == 1, "takeown on system/protected path",
if(AclInheritanceRemoval == 1, "ACL inheritance removed",
if(AclReset == 1, "icacls /reset on sensitive path",
if(PsAclModify == 1, "PowerShell Set-Acl granting excessive rights",
if(CaclsModify == 1, "cacls ACL modification",
if(AttribHide == 1, "attrib hiding file in system path",
"Permission modification tool detected")))))))
| fields _messageTime, Computer, user, ProcessName, CommandLine, ParentImage, AlertReason, RiskScore, IsRansomwarePattern, IsBackupTargeted
| sort by RiskScore desc, _messageTime descDetects T1222.001 Windows File and Directory Permissions Modification via icacls, cacls, takeown, attrib, and PowerShell Set-Acl cmdlets. Risk-scored across five indicator categories: Everyone full control grants, recursive ACL changes, inheritance removal, system-path ownership takeover, and PowerShell ACL manipulation. Normalises process fields across Windows Security Event ID 4688 and Sysmon Event ID 1 sources.
Data Sources
Required Tables
False Positives & Tuning
- IT provisioning and imaging workflows that run icacls as part of workstation setup to apply standardized ACL templates to common directories
- Antivirus or EDR products using icacls during installation to lock down their own program directories against user modification
- DFS Replication service or backup agents using takeown to resolve permission conflicts on replicated or archived shares
Other platforms for T1222.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Ryuk/WannaCry Pattern — icacls Grant Everyone Full Control Recursively
Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:F /T /C /Q'. Security Event ID 4688 (if command line auditing enabled). If object access auditing is enabled on %TEMP%, Security Event ID 4670 (Permissions on an object were changed) with OldSd and NewSd DACL values in SDDL format.
- Test 2BitPaymer Pattern — icacls Reset then takeown
Expected signal: Sysmon Event ID 1: Three sequential process creation events — icacls.exe with '/reset', takeown.exe with '/F', icacls.exe with '/grant'. All three events will have the same parent process (cmd.exe). Security Event ID 4670 for each ACL change if object auditing is enabled.
- Test 3Wizard Spider Backup Server Pattern — icacls Full Control on Backup Path
Expected signal: Sysmon Event ID 1: Two process creation events — icacls.exe with '/grant' recursive flag, and icacls.exe with '/inheritance:r' (remove inherited ACEs). CommandLine for both events visible. Security Event ID 4670 if backup path auditing is configured.
- Test 4PowerShell Set-Acl to Grant Everyone Full Control
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FullControl', 'Everyone'. PowerShell ScriptBlock Log Event ID 4104: full script content with FileSystemAccessRule construction and Set-Acl invocation. Security Event ID 4670 if directory auditing is configured.
References (12)
- https://attack.mitre.org/techniques/T1222/001/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
- https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces
- https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/
- https://www.crowdstrike.com/blog/indrik-spider-supersized-evil-corp-upgrades-dridex-payload-wasted-locker/
- https://www.logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/
- https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
- https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
- https://www.rapid7.com/blog/post/2024/05/10/ongoing-social-engineering-campaign-refreshes-payload/
Unlock Pro Content
Get the full detection package for T1222.001 including response playbook, investigation guide, and atomic red team tests.