Detect File and Directory Permissions Modification in CrowdStrike LogScale
Adversaries may modify file or directory permissions and ACLs to evade access controls and enable access to protected files. On Windows, tools like icacls, cacls, takeown, attrib, and PowerShell's Set-Acl cmdlet are abused to grant unauthorized access, remove inheritance, or take ownership of sensitive files and directories. On Linux and macOS, chmod, chown, chattr, and setfacl are used to widen permissions on credential files, binaries, or configuration data. Permission modifications commonly precede or accompany other techniques such as persistence via accessibility features, boot scripts, or hijack execution flow.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Canonical reference
- https://attack.mitre.org/techniques/T1222/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| where ImageFileName =~ /(?i)(icacls|cacls|xcacls|takeown|attrib|SetACL)\.exe$/
or (ImageFileName =~ /(?i)powershell\.exe$/ and CommandLine =~ /(?i)(Set-Acl|SetAccessControl|InheritanceFlags|PropagationFlags|FileSystemAccessRule|RegistryAccessRule|AddAccessRule|SetOwner)/)
or (ImageFileName =~ /(?i)cmd\.exe$/ and CommandLine =~ /(?i)(icacls|cacls|takeown|SetACL)/)
| IsTool := if(ImageFileName =~ /(?i)(icacls|cacls|xcacls|takeown|attrib|SetACL)\.exe$/, 1, 0)
| GrantsEveryone := if(CommandLine =~ /(?i)(everyone|S-1-1-0)/, 1, 0)
| RemovesInheritance := if(CommandLine =~ /\/inheritance:[rd]/i, 1, 0)
| TakeOwnership := if(ImageFileName =~ /(?i)takeown\.exe$/ or CommandLine =~ /\/setowner/i, 1, 0)
| GrantsFullControl := if(CommandLine =~ /(\(F\)|\(OI\)\(CI\)F|\/grant[^:]*:F)/i, 1, 0)
| HighValuePath := if(CommandLine =~ /(?i)(\\system32|\\syswow64|\\windows\\|\\program.files|\\programdata|\\sam|\\security|\\ntds|\\lsass|\\hosts)/, 1, 0)
| IsPowerShellACL := if(ImageFileName =~ /(?i)powershell\.exe$/ and CommandLine =~ /(?i)(Set-Acl|SetAccessControl|AddAccessRule)/, 1, 0)
| SuspicionScore := IsTool + GrantsEveryone + RemovesInheritance + TakeOwnership + GrantsFullControl + HighValuePath
| where SuspicionScore > 0 or IsPowerShellACL = 1
| select([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, GrantsEveryone, RemovesInheritance, TakeOwnership, GrantsFullControl, HighValuePath, IsPowerShellACL, SuspicionScore])
| sort(field=timestamp, order=desc)Detects T1222 File and Directory Permissions Modification in CrowdStrike Falcon via LogScale CQL against ProcessRollup2 events in the Falcon Data Replicator feed. Mirrors the scoring model from the KQL and SPL detections: computes IsTool, GrantsEveryone, RemovesInheritance, TakeOwnership, GrantsFullControl, and HighValuePath signals into a SuspicionScore for analyst triage. Fires when SuspicionScore > 0 or a PowerShell ACL pattern is matched.
Data Sources
Required Tables
False Positives & Tuning
- IT operations teams using icacls scripts for bulk permission remediation after ransomware recovery, AD permission inheritance repair, or large-scale profile migration projects
- Application packaging teams running takeown and icacls as part of MSI, MSIX, or App-V transformation workflows for enterprise software distribution
- PowerShell DSC (Desired State Configuration) or Ansible WinRM playbooks that invoke Set-Acl to enforce and maintain configuration baseline permission states on servers
Other platforms for T1222
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1icacls Grant Everyone Full Control on Test File
Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:(F)'. Security Event ID 4670 (if Object Access auditing enabled) showing the permission change on the temp file. Security Event ID 4688 (if process auditing enabled) with command line.
- Test 2takeown and icacls Ownership Transfer Sequence
Expected signal: Two Sysmon Event ID 1 entries: first for takeown.exe with /F flag, second for icacls.exe with /grant flag. Security Event ID 4670 for the ACL change. Security Event ID 4672 (Special Privileges Assigned) if run with elevated rights. The sequential execution of takeown then icacls within a short time window is a high-confidence indicator.
- Test 3PowerShell Set-Acl to Widen Directory Permissions
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FileSystemAccessRule', 'Everyone', 'FullControl', and 'AddAccessRule'. PowerShell ScriptBlock Log Event ID 4104 capturing the full ACL manipulation code. Security Event ID 4670 on the target directory.
- Test 4icacls Remove ACL Inheritance on Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe and CommandLine containing '/inheritance:r'. Security Event ID 4670 showing the removal of inherited ACEs (Access Control Entries) from the directory. The OldSd field in Event 4670 will show inherited entries, NewSd will show none.
- Test 5attrib to Remove Hidden and System Attributes from Malware Artifacts
Expected signal: Two Sysmon Event ID 1 entries for attrib.exe: first with +H +S flags (adding attributes), second with -H -S -R flags (removing attributes). Security Event ID 4663 if file auditing is enabled. The attribute removal (-H -S -R) invocation is the malicious indicator — the first is included to simulate the full adversary workflow.
References (16)
- https://attack.mitre.org/techniques/T1222/
- https://attack.mitre.org/techniques/T1222/001/
- https://attack.mitre.org/techniques/T1222/002/
- https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100
- https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110
- https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/
- https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf
- https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware
- https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1222 including response playbook, investigation guide, and atomic red team tests.