title: Windows File and Directory Permissions Modification (T1222.001)
id: df00tech-t1222-001
status: experimental
description: "Adversaries may modify file or directory permissions on Windows systems using built-in utilities (icacls, cacls, takeown, attrib) or PowerShell ACL cmdlets to bypass access control lists and gain access to protected files. This technique is commonly used by ransomware families (Ryuk, WannaCry, BitPaymer, BlackByte) to take ownership of system files before encryption, by persistence mechanisms preparing hijack targets, and by threat actors (Wizard Spider, Storm-1811) to remove access restrictions on backup and recovery infrastructure. Key patterns include granting Everyone full control (/grant Everyone:F), taking file ownership (takeown /F), resetting ACL inheritance (icacls /reset), and hiding files with attrib +h."
references:
  - https://attack.mitre.org/techniques/T1222/001/
  - https://df00tech.com/detections/T1222.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1222.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installation packages that use icacls to set permissions on their own application directories during setup (e.g., MSI installers, third-party applications)"
  - System administrators using takeown and icacls to recover access to accidentally locked files or directories
  - "IT automation tools (SCCM, Ansible, Puppet) using PowerShell Set-Acl or icacls to enforce standardized permission baselines across managed endpoints"
  - Backup software agents that modify ACLs on their own installation and data directories
  - Vulnerability remediation scripts that reset over-permissive ACLs on shared directories
level: high