title: File and Directory Permissions Modification (T1222)
id: df00tech-t1222
status: experimental
description: "Adversaries may modify file or directory permissions and ACLs to evade access controls and enable access to protected files. On Windows, tools like icacls, cacls, takeown, attrib, and PowerShell's Set-Acl cmdlet are abused to grant unauthorized access, remove inheritance, or take ownership of sensitive files and directories. On Linux and macOS, chmod, chown, chattr, and setfacl are used to widen permissions on credential files, binaries, or configuration data. Permission modifications commonly precede or accompany other techniques such as persistence via accessibility features, boot scripts, or hijack execution flow."
references:
  - https://attack.mitre.org/techniques/T1222/
  - https://df00tech.com/detections/T1222
author: df00tech
date: 2026/04/13
tags:
  - attack.t1222
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software installation routines that reset permissions on application directories during setup or update (SCCM, Intune, installers)"
  - IT administrators using icacls or takeown to recover access to orphaned files after account migrations or domain rejoins
  - "Backup agents (Veeam, Acronis, Windows Server Backup) that modify file ACLs to enable backup of protected files"
  - Endpoint security tools resetting permissions on quarantined files or their own installation directories
  - "CI/CD pipeline agents (GitHub Actions, Jenkins, Azure DevOps agents) adjusting permissions on build artifact directories"
level: medium