T1222 IBM QRadar · QRadar

Detect File and Directory Permissions Modification in IBM QRadar

Adversaries may modify file or directory permissions and ACLs to evade access controls and enable access to protected files. On Windows, tools like icacls, cacls, takeown, attrib, and PowerShell's Set-Acl cmdlet are abused to grant unauthorized access, remove inheritance, or take ownership of sensitive files and directories. On Linux and macOS, chmod, chown, chattr, and setfacl are used to widen permissions on credential files, binaries, or configuration data. Permission modifications commonly precede or accompany other techniques such as persistence via accessibility features, boot scripts, or hijack execution flow.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1222 File and Directory Permissions Modification
Canonical reference
https://attack.mitre.org/techniques/T1222/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  username,
  sourceip,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process_name,
  CASE
    WHEN LOWER("Process Name") LIKE '%icacls.exe%'
      OR LOWER("Process Name") LIKE '%cacls.exe%'
      OR LOWER("Process Name") LIKE '%xcacls.exe%'
      OR LOWER("Process Name") LIKE '%takeown.exe%'
      OR LOWER("Process Name") LIKE '%attrib.exe%'
      OR LOWER("Process Name") LIKE '%setacl.exe%' THEN 1
    ELSE 0
  END AS is_perm_tool,
  CASE
    WHEN LOWER("Command") LIKE '%everyone%' OR "Command" LIKE '%S-1-1-0%' THEN 1
    ELSE 0
  END AS grants_everyone,
  CASE
    WHEN "Command" LIKE '%/inheritance:r%' OR "Command" LIKE '%/inheritance:d%' THEN 1
    ELSE 0
  END AS removes_inheritance,
  CASE
    WHEN LOWER("Process Name") LIKE '%takeown.exe%' OR LOWER("Command") LIKE '%/setowner%' THEN 1
    ELSE 0
  END AS take_ownership,
  CASE
    WHEN "Command" LIKE '%:(F)%'
      OR "Command" LIKE '%:(OI)(CI)F%'
      OR "Command" LIKE '%/grant%:F%' THEN 1
    ELSE 0
  END AS grants_full_control,
  CASE
    WHEN LOWER("Command") LIKE '%\\system32\\%'
      OR LOWER("Command") LIKE '%\\syswow64\\%'
      OR LOWER("Command") LIKE '%\\windows\\%'
      OR LOWER("Command") LIKE '%\\ntds%'
      OR LOWER("Command") LIKE '%\\lsass%'
      OR LOWER("Command") LIKE '%\\sam%'
      OR LOWER("Command") LIKE '%\\hosts%'
      OR LOWER("Command") LIKE '%\\programdata\\%'
      OR LOWER("Command") LIKE '%\\program files\\%' THEN 1
    ELSE 0
  END AS high_value_path
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) ILIKE '%Windows%'
  AND (
    LOWER("Process Name") ILIKE '%icacls.exe%'
    OR LOWER("Process Name") ILIKE '%cacls.exe%'
    OR LOWER("Process Name") ILIKE '%xcacls.exe%'
    OR LOWER("Process Name") ILIKE '%takeown.exe%'
    OR LOWER("Process Name") ILIKE '%attrib.exe%'
    OR LOWER("Process Name") ILIKE '%setacl.exe%'
    OR (
      LOWER("Process Name") ILIKE '%powershell.exe%'
      AND (
        "Command" ILIKE '%Set-Acl%'
        OR "Command" ILIKE '%SetAccessControl%'
        OR "Command" ILIKE '%AddAccessRule%'
        OR "Command" ILIKE '%InheritanceFlags%'
        OR "Command" ILIKE '%FileSystemAccessRule%'
        OR "Command" ILIKE '%SetOwner%'
      )
    )
    OR (
      LOWER("Process Name") ILIKE '%cmd.exe%'
      AND (
        "Command" ILIKE '%icacls%'
        OR "Command" ILIKE '%cacls%'
        OR "Command" ILIKE '%takeown%'
        OR "Command" ILIKE '%SetACL%'
      )
    )
  )
LAST 24 HOURS
medium severity high confidence

Detects T1222 File and Directory Permissions Modification in QRadar AQL against Windows event log sources. Queries the events table using custom DSM-extracted properties 'Process Name' and 'Command' from Sysmon or Windows Security logs. Returns scored fields (grants_everyone, removes_inheritance, take_ownership, grants_full_control, high_value_path) mirroring the KQL and SPL detection logic for analyst triage.

Data Sources

IBM QRadar Windows Event Log DSMIBM QRadar Microsoft Windows Sysmon DSMQRadar Universal DSM with custom extracted properties for Process Name and Command

Required Tables

events

False Positives & Tuning

  • IT operations teams running icacls or takeown scripts for bulk permission remediation after ransomware recovery events, AD recycle bin restores, or permission inheritance repairs
  • Automated software deployment pipelines (SCCM, PDQ Deploy, Chocolatey) that invoke icacls to set ACLs on application directories during installation or update
  • Backup agents, DLP solutions, or endpoint security products that use attrib or ACL modification to protect their own installation directories from user tampering
Download portable Sigma rule (.yml)

Other platforms for T1222

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1icacls Grant Everyone Full Control on Test File

    Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:(F)'. Security Event ID 4670 (if Object Access auditing enabled) showing the permission change on the temp file. Security Event ID 4688 (if process auditing enabled) with command line.

  2. Test 2takeown and icacls Ownership Transfer Sequence

    Expected signal: Two Sysmon Event ID 1 entries: first for takeown.exe with /F flag, second for icacls.exe with /grant flag. Security Event ID 4670 for the ACL change. Security Event ID 4672 (Special Privileges Assigned) if run with elevated rights. The sequential execution of takeown then icacls within a short time window is a high-confidence indicator.

  3. Test 3PowerShell Set-Acl to Widen Directory Permissions

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FileSystemAccessRule', 'Everyone', 'FullControl', and 'AddAccessRule'. PowerShell ScriptBlock Log Event ID 4104 capturing the full ACL manipulation code. Security Event ID 4670 on the target directory.

  4. Test 4icacls Remove ACL Inheritance on Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe and CommandLine containing '/inheritance:r'. Security Event ID 4670 showing the removal of inherited ACEs (Access Control Entries) from the directory. The OldSd field in Event 4670 will show inherited entries, NewSd will show none.

  5. Test 5attrib to Remove Hidden and System Attributes from Malware Artifacts

    Expected signal: Two Sysmon Event ID 1 entries for attrib.exe: first with +H +S flags (adding attributes), second with -H -S -R flags (removing attributes). Security Event ID 4663 if file auditing is enabled. The attribute removal (-H -S -R) invocation is the malicious indicator — the first is included to simulate the full adversary workflow.

Last updated: 2026-04-13 Research depth: deep
References (16)

Unlock Pro Content

Get the full detection package for T1222 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1222.001Windows File and Directory Permissions ModificationT1222.002Linux and Mac File and Directory Permissions ModificationT1546.008Accessibility FeaturesT1574Hijack Execution FlowT1037Boot or Logon Initialization ScriptsT1546.004Unix Shell Configuration ModificationT1003.002Security Account ManagerT1003.003NTDST1485.001Lifecycle-Triggered DeletionT1548.001Setuid and SetgidT1070Indicator Removal

Same Tactic: Defense Evasion

Popular Detections