Detect File and Directory Permissions Modification in Microsoft Sentinel
Adversaries may modify file or directory permissions and ACLs to evade access controls and enable access to protected files. On Windows, tools like icacls, cacls, takeown, attrib, and PowerShell's Set-Acl cmdlet are abused to grant unauthorized access, remove inheritance, or take ownership of sensitive files and directories. On Linux and macOS, chmod, chown, chattr, and setfacl are used to widen permissions on credential files, binaries, or configuration data. Permission modifications commonly precede or accompany other techniques such as persistence via accessibility features, boot scripts, or hijack execution flow.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Canonical reference
- https://attack.mitre.org/techniques/T1222/
KQL Detection Query
let PermModTools = dynamic(["icacls.exe", "cacls.exe", "xcacls.exe", "takeown.exe", "attrib.exe", "SetACL.exe"]);
let HighValuePaths = dynamic(["\\system32\\", "\\syswow64\\", "\\windows\\", "\\program files\\", "\\programdata\\", "\\users\\", "\\sam", "\\security", "\\ntds", "\\lsass", "\\hosts"]);
let SuspiciousFlags = dynamic(["/grant", "/deny", "/reset", "/setowner", "/inheritance:r", "/inheritance:d", "Everyone", "BUILTIN\\Everyone", ":(OI)(CI)F", ":(F)", "/T /C /Q"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (PermModTools)
or (FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Set-Acl", "SetAccessControl", "InheritanceFlags", "PropagationFlags", "FileSystemAccessRule", "RegistryAccessRule", "AddAccessRule", "SetOwner"))
or (FileName =~ "cmd.exe" and ProcessCommandLine has_any ("icacls", "cacls", "takeown", "SetACL"))
| extend IsPermTool = FileName in~ (PermModTools)
| extend IsHighValuePath = ProcessCommandLine has_any (HighValuePaths)
| extend HasSuspiciousFlag = ProcessCommandLine has_any (SuspiciousFlags)
| extend GrantsEveryone = ProcessCommandLine has_any ("Everyone", "BUILTIN\\Everyone", "*S-1-1-0*")
| extend RemovesInheritance = ProcessCommandLine has_any ("/inheritance:r", "/inheritance:d")
| extend TakeOwnership = FileName =~ "takeown.exe" or ProcessCommandLine has "/setowner"
| extend GrantsFullControl = ProcessCommandLine has_any (":(F)", ":(OI)(CI)F", "/grant Everyone:F", "/grant *:F")
| extend IsPowerShellACL = FileName =~ "powershell.exe" and ProcessCommandLine has_any ("Set-Acl", "SetAccessControl", "AddAccessRule")
| extend SuspicionScore = toint(IsHighValuePath) + toint(HasSuspiciousFlag) + toint(GrantsEveryone) + toint(RemovesInheritance) + toint(TakeOwnership) + toint(GrantsFullControl)
| where SuspicionScore > 0 or IsPermTool or IsPowerShellACL
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
IsHighValuePath, HasSuspiciousFlag, GrantsEveryone, RemovesInheritance,
TakeOwnership, GrantsFullControl, IsPowerShellACL, SuspicionScore
| sort by Timestamp descDetects file and directory permission modification on Windows using Microsoft Defender for Endpoint DeviceProcessEvents. Monitors for native permission tools (icacls, cacls, xcacls, takeown, attrib, SetACL) and PowerShell ACL cmdlets (Set-Acl, SetAccessControl, AddAccessRule). Assigns a suspicion score based on high-value path targets, Everyone grants, inheritance removal, full control grants, and ownership changes. Covers both direct tool invocation and cmd.exe-wrapped execution.
Data Sources
Required Tables
False Positives & Tuning
- Software installation routines that reset permissions on application directories during setup or update (SCCM, Intune, installers)
- IT administrators using icacls or takeown to recover access to orphaned files after account migrations or domain rejoins
- Backup agents (Veeam, Acronis, Windows Server Backup) that modify file ACLs to enable backup of protected files
- Endpoint security tools resetting permissions on quarantined files or their own installation directories
- CI/CD pipeline agents (GitHub Actions, Jenkins, Azure DevOps agents) adjusting permissions on build artifact directories
Other platforms for T1222
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1icacls Grant Everyone Full Control on Test File
Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:(F)'. Security Event ID 4670 (if Object Access auditing enabled) showing the permission change on the temp file. Security Event ID 4688 (if process auditing enabled) with command line.
- Test 2takeown and icacls Ownership Transfer Sequence
Expected signal: Two Sysmon Event ID 1 entries: first for takeown.exe with /F flag, second for icacls.exe with /grant flag. Security Event ID 4670 for the ACL change. Security Event ID 4672 (Special Privileges Assigned) if run with elevated rights. The sequential execution of takeown then icacls within a short time window is a high-confidence indicator.
- Test 3PowerShell Set-Acl to Widen Directory Permissions
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FileSystemAccessRule', 'Everyone', 'FullControl', and 'AddAccessRule'. PowerShell ScriptBlock Log Event ID 4104 capturing the full ACL manipulation code. Security Event ID 4670 on the target directory.
- Test 4icacls Remove ACL Inheritance on Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe and CommandLine containing '/inheritance:r'. Security Event ID 4670 showing the removal of inherited ACEs (Access Control Entries) from the directory. The OldSd field in Event 4670 will show inherited entries, NewSd will show none.
- Test 5attrib to Remove Hidden and System Attributes from Malware Artifacts
Expected signal: Two Sysmon Event ID 1 entries for attrib.exe: first with +H +S flags (adding attributes), second with -H -S -R flags (removing attributes). Security Event ID 4663 if file auditing is enabled. The attribute removal (-H -S -R) invocation is the malicious indicator — the first is included to simulate the full adversary workflow.
References (16)
- https://attack.mitre.org/techniques/T1222/
- https://attack.mitre.org/techniques/T1222/001/
- https://attack.mitre.org/techniques/T1222/002/
- https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100
- https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110
- https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/
- https://go.kaspersky.com/rs/802-IJN-240/images/TR_BlackCat_Report.pdf
- https://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-analyzing.html
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware
- https://www.crowdstrike.com/blog/falcon-overwatch-contributes-to-blackcat-protection/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-acl
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1222 including response playbook, investigation guide, and atomic red team tests.