T1222 Sumo Logic CSE · Sumo

Detect File and Directory Permissions Modification in Sumo Logic CSE

Adversaries may modify file or directory permissions and ACLs to evade access controls and enable access to protected files. On Windows, tools like icacls, cacls, takeown, attrib, and PowerShell's Set-Acl cmdlet are abused to grant unauthorized access, remove inheritance, or take ownership of sensitive files and directories. On Linux and macOS, chmod, chown, chattr, and setfacl are used to widen permissions on credential files, binaries, or configuration data. Permission modifications commonly precede or accompany other techniques such as persistence via accessibility features, boot scripts, or hijack execution flow.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1222 File and Directory Permissions Modification
Canonical reference
https://attack.mitre.org/techniques/T1222/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where EventCode = 1
| where Image matches "*icacls.exe" OR Image matches "*cacls.exe" OR Image matches "*xcacls.exe"
      OR Image matches "*takeown.exe" OR Image matches "*attrib.exe" OR Image matches "*SetACL.exe"
      OR (Image matches "*powershell.exe"
          AND (CommandLine matches "*Set-Acl*" OR CommandLine matches "*SetAccessControl*"
               OR CommandLine matches "*AddAccessRule*" OR CommandLine matches "*InheritanceFlags*"
               OR CommandLine matches "*FileSystemAccessRule*" OR CommandLine matches "*SetOwner*"))
      OR (Image matches "*cmd.exe"
          AND (CommandLine matches "*icacls*" OR CommandLine matches "*cacls*"
               OR CommandLine matches "*takeown*" OR CommandLine matches "*SetACL*"))
| eval IsTool = if(Image matches "*icacls.exe*" OR Image matches "*cacls.exe*" OR Image matches "*xcacls.exe*" OR Image matches "*takeown.exe*" OR Image matches "*attrib.exe*" OR Image matches "*SetACL.exe*", 1, 0)
| eval GrantsEveryone = if(toLowerCase(CommandLine) matches "*everyone*" OR CommandLine matches "*S-1-1-0*", 1, 0)
| eval RemovesInheritance = if(CommandLine matches "*/inheritance:r*" OR CommandLine matches "*/inheritance:d*", 1, 0)
| eval TakeOwnership = if(Image matches "*takeown.exe*" OR toLowerCase(CommandLine) matches "*/setowner*", 1, 0)
| eval GrantsFullControl = if(CommandLine matches "*:(F)*" OR CommandLine matches "*:(OI)(CI)F*" OR CommandLine matches "*/grant*:F*", 1, 0)
| eval HighValuePath = if(toLowerCase(CommandLine) matches "*\\system32\\*" OR toLowerCase(CommandLine) matches "*\\syswow64\\*" OR toLowerCase(CommandLine) matches "*\\windows\\*" OR toLowerCase(CommandLine) matches "*\\ntds*" OR toLowerCase(CommandLine) matches "*\\lsass*" OR toLowerCase(CommandLine) matches "*\\sam*" OR toLowerCase(CommandLine) matches "*\\hosts*" OR toLowerCase(CommandLine) matches "*\\programdata\\*", 1, 0)
| eval IsPowerShellACL = if(Image matches "*powershell.exe*" AND (CommandLine matches "*Set-Acl*" OR CommandLine matches "*SetAccessControl*" OR CommandLine matches "*AddAccessRule*"), 1, 0)
| eval SuspicionScore = IsTool + GrantsEveryone + RemovesInheritance + TakeOwnership + GrantsFullControl + HighValuePath
| where SuspicionScore > 0 OR IsPowerShellACL = 1
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, GrantsEveryone, RemovesInheritance, TakeOwnership, GrantsFullControl, HighValuePath, IsPowerShellACL, SuspicionScore
| sort by _time desc
medium severity high confidence

Detects T1222 File and Directory Permissions Modification in Sumo Logic against Windows Sysmon EventCode 1 (Process Create) logs. Computes a SuspicionScore from six behavioral signals — IsTool, GrantsEveryone, RemovesInheritance, TakeOwnership, GrantsFullControl, and HighValuePath — mirroring the scoring logic in the KQL and SPL detections. Alerts fire when SuspicionScore > 0 or a PowerShell ACL cmdlet is identified.

Data Sources

Sumo Logic Installed Collector on Windows endpoints forwarding Sysmon Operational logsSumo Logic Cloud SIEM Enterprise Windows Sysmon sourceSumo Logic Windows source category with Microsoft-Windows-Sysmon/Operational channel

Required Tables

Windows Sysmon Operational Event ID 1 (Process Create)

False Positives & Tuning

  • Help desk staff using takeown or icacls to regain access to user-owned files during account migration, profile corruption repair, or password reset procedures on managed endpoints
  • Security tools and EDR agents that legitimately modify ACLs on their own installation directories at install time or during self-protection routines
  • CI/CD pipeline agents (Jenkins, GitHub Actions self-hosted runner, TeamCity) that reset folder permissions on build artifact or workspace directories between pipeline runs
Download portable Sigma rule (.yml)

Other platforms for T1222

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1icacls Grant Everyone Full Control on Test File

    Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe, CommandLine containing '/grant Everyone:(F)'. Security Event ID 4670 (if Object Access auditing enabled) showing the permission change on the temp file. Security Event ID 4688 (if process auditing enabled) with command line.

  2. Test 2takeown and icacls Ownership Transfer Sequence

    Expected signal: Two Sysmon Event ID 1 entries: first for takeown.exe with /F flag, second for icacls.exe with /grant flag. Security Event ID 4670 for the ACL change. Security Event ID 4672 (Special Privileges Assigned) if run with elevated rights. The sequential execution of takeown then icacls within a short time window is a high-confidence indicator.

  3. Test 3PowerShell Set-Acl to Widen Directory Permissions

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Set-Acl', 'FileSystemAccessRule', 'Everyone', 'FullControl', and 'AddAccessRule'. PowerShell ScriptBlock Log Event ID 4104 capturing the full ACL manipulation code. Security Event ID 4670 on the target directory.

  4. Test 4icacls Remove ACL Inheritance on Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=icacls.exe and CommandLine containing '/inheritance:r'. Security Event ID 4670 showing the removal of inherited ACEs (Access Control Entries) from the directory. The OldSd field in Event 4670 will show inherited entries, NewSd will show none.

  5. Test 5attrib to Remove Hidden and System Attributes from Malware Artifacts

    Expected signal: Two Sysmon Event ID 1 entries for attrib.exe: first with +H +S flags (adding attributes), second with -H -S -R flags (removing attributes). Security Event ID 4663 if file auditing is enabled. The attribute removal (-H -S -R) invocation is the malicious indicator — the first is included to simulate the full adversary workflow.

Last updated: 2026-04-13 Research depth: deep
References (16)

Unlock Pro Content

Get the full detection package for T1222 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (2)

Related Techniques

T1222.001Windows File and Directory Permissions ModificationT1222.002Linux and Mac File and Directory Permissions ModificationT1546.008Accessibility FeaturesT1574Hijack Execution FlowT1037Boot or Logon Initialization ScriptsT1546.004Unix Shell Configuration ModificationT1003.002Security Account ManagerT1003.003NTDST1485.001Lifecycle-Triggered DeletionT1548.001Setuid and SetgidT1070Indicator Removal

Same Tactic: Defense Evasion

Popular Detections