Detect File and Directory Permissions Modification in Elastic Security
Adversaries may modify file or directory permissions and ACLs to evade access controls and enable access to protected files. On Windows, tools like icacls, cacls, takeown, attrib, and PowerShell's Set-Acl cmdlet are abused to grant unauthorized access, remove inheritance, or take ownership of sensitive files and directories. On Linux and macOS, chmod, chown, chattr, and setfacl are used to widen permissions on credential files, binaries, or configuration data. Permission modifications commonly precede or accompany other techniques such as persistence via accessibility features, boot scripts, or hijack execution flow.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Canonical reference
- https://attack.mitre.org/techniques/T1222/
Elastic Detection Query
process where event.type == "start" and (
process.name in~ ("icacls.exe", "cacls.exe", "xcacls.exe", "takeown.exe", "attrib.exe", "SetACL.exe") or
(
process.name like~ "powershell.exe" and
process.command_line like~ ("*Set-Acl*", "*SetAccessControl*", "*InheritanceFlags*", "*PropagationFlags*", "*FileSystemAccessRule*", "*RegistryAccessRule*", "*AddAccessRule*", "*SetOwner*")
) or
(
process.name like~ "cmd.exe" and
process.command_line like~ ("*icacls*", "*cacls*", "*takeown*", "*SetACL*")
)
)Detects T1222 File and Directory Permissions Modification on Windows via icacls, cacls, xcacls, takeown, attrib, and SetACL executables, as well as PowerShell ACL cmdlets (Set-Acl, SetAccessControl, AddAccessRule, InheritanceFlags). Uses ECS process fields targeting Elastic Defend or Winlogbeat/Sysmon data. Matches the same behavioral scope as the KQL and SPL detections for this technique.
Data Sources
Required Tables
False Positives & Tuning
- System administrators using icacls, takeown, or attrib during planned maintenance windows, post-incident permission remediation, or security baseline enforcement tasks
- Software installation packages (MSI, NSIS, InstallShield, WiX) that invoke icacls or PowerShell Set-Acl to configure ACLs on Program Files, ProgramData, or application-specific directories as part of normal setup
- Group Policy processing, SCCM/MECM client agent, or Intune Management Extension that legitimately resets file or registry permissions on managed endpoints during policy application
Other platforms for T1222
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1icacls Grant Everyone Full Control on Test File
Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:(F)'. Security Event ID 4670 (if Object Access auditing enabled) showing the permission change on the temp file. Security Event ID 4688 (if process auditing enabled) with command line.
- Test 2takeown and icacls Ownership Transfer Sequence
Expected signal: Two Sysmon Event ID 1 entries: first for takeown.exe with /F flag, second for icacls.exe with /grant flag. Security Event ID 4670 for the ACL change. Security Event ID 4672 (Special Privileges Assigned) if run with elevated rights. The sequential execution of takeown then icacls within a short time window is a high-confidence indicator.
- Test 3PowerShell Set-Acl to Widen Directory Permissions
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FileSystemAccessRule', 'Everyone', 'FullControl', and 'AddAccessRule'. PowerShell ScriptBlock Log Event ID 4104 capturing the full ACL manipulation code. Security Event ID 4670 on the target directory.
- Test 4icacls Remove ACL Inheritance on Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe and CommandLine containing '/inheritance:r'. Security Event ID 4670 showing the removal of inherited ACEs (Access Control Entries) from the directory. The OldSd field in Event 4670 will show inherited entries, NewSd will show none.
- Test 5attrib to Remove Hidden and System Attributes from Malware Artifacts
Expected signal: Two Sysmon Event ID 1 entries for attrib.exe: first with +H +S flags (adding attributes), second with -H -S -R flags (removing attributes). Security Event ID 4663 if file auditing is enabled. The attribute removal (-H -S -R) invocation is the malicious indicator — the first is included to simulate the full adversary workflow.
References (16)
- https://attack.mitre.org/techniques/T1222/
- https://attack.mitre.org/techniques/T1222/001/
- https://attack.mitre.org/techniques/T1222/002/
- https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100
- https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110
- https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/
- https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf
- https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware
- https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1222 including response playbook, investigation guide, and atomic red team tests.