Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1222-file-and-directory-permissions-modification

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects modifications of access control lists (ACLs) on critical Windows system folders using PowerShell.

Strategy

This rule monitors Windows event logs for PowerShell script block execution that modifies access control lists on sensitive Windows directories. Modifying permissions on system folders is uncommon in legitimate administrative scenarios and is often used by attackers to establish persistence, evade defenses, or facilitate privilege escalation. Changes to ACLs on critical system folders can enable unauthorized access to sensitive files, bypass security controls, or allow malicious executables to run from protected locations.

Triage & Response

• Examine the PowerShell script block content on {{host}} to verify the ACL modification and understand the exact permissions being granted.
• Identify the user account that executed the PowerShell command and determine if this was an authorized administrative action.
• Review which specific folder within the Windows directory had its permissions modified.
• Investigate for other suspicious PowerShell activities on the system before and after the ACL modification.
• Look for evidence of actual exploitation of the modified permissions, such as file writes or executable creation in the affected directories.
• Determine if similar ACL modifications have occurred on other systems in the environment.