1. Home
  2. Detection Strategies
  3. Windows DACL Manipulation Behavioral Chain Detection Strategy

Windows DACL Manipulation Behavioral Chain Detection Strategy

Technique Detected:  Windows File and Directory Permissions Modification | T1222.001

ID: DET0418
Domains: Enterprise
Analytics: AN1177
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1177

Multi-stage Windows DACL manipulation behavioral chain: (1) Process creation of permission-modifying utilities (icacls.exe, takeown.exe, attrib.exe, cacls.exe) or PowerShell ACL cmdlets, (2) Command-line analysis revealing privilege escalation intent through suspicious parameters (/grant, /takeown, /T, Set-Acl), (3) DACL modification events (4670) correlating with process execution, (4) Subsequent file access attempts (4663) indicating successful permission bypass, (5) Potential follow-on persistence or lateral movement activities

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
Active Directory Object Modification (DC0066) WinEventLog:Security EventCode=4670
File Metadata (DC0059) WinEventLog:Security EventCode=4663, 4656, 4658
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103,4104,4105, 4106
WMI Creation (DC0008) WinEventLog:Microsoft-Windows-WMI-Activity/Operational EventCode=5857, 5860, 5861
Mutable Elements
Field Description
TemporalCorrelationWindow Time window for correlating process creation (4688/sysmon 1) with DACL changes (4670) and subsequent access (4663) - default 300 seconds, adjust based on system performance and network latency
SensitivePathWhitelist Environment-specific critical directories requiring enhanced monitoring (e.g., C:\Windows\System32, C:\Program Files, %USERPROFILE%\AppData) - customize per organizational security requirements
AuthorizedAdministratorAccounts User accounts and service accounts authorized to perform legitimate DACL modifications - update to reflect current administrative staff and automated processes
SuspiciousCommandLinePatterns Regex patterns for detecting malicious intent in permission modification commands - tune to reduce false positives while maintaining detection efficacy
BusinessHoursThreshold Time-based risk scoring modifier for permission changes occurring outside standard business hours - adjust based on organizational work patterns
PowerShellScriptBlockSizeThreshold Minimum PowerShell script block size for ACL-related content analysis - balance between detection coverage and log volume
FileAccessFrequencyBaseline Statistical baseline for normal file access patterns post-permission change - establish through historical analysis and update periodically
WMIMethodInvocationWhitelist Approved WMI classes and methods for legitimate permission operations (e.g., Win32_SecurityDescriptor) - maintain based on authorized management tools