Process

unknown

icacls.exe

icacls.exe displays and changes the permissions (DACLs) on files and folders. Administrators use it to set access control. Attackers use it to grant themselves access to files they should not reach, to lock owners out, and to weaken the protections on sensitive locations.

CategoryUtilityTagsmicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

icacls.exe reads and writes the discretionary access control lists that decide who can read, write, or execute a file or directory. It can grant and deny rights to users (/grant, /deny), reset inherited permissions (/reset), change owner (/setowner), and set integrity levels. It requires rights over the target and lives at C:\Windows\System32\icacls.exe.

Legitimately, icacls is run by administrators and installers to configure access on files and folders. The target and the permission change are what give an instance meaning.

Security notes

icacls.exe is used to manipulate file permissions for attacker ends (T1222.001). Granting full control to a broad principal opens files and folders an account should not reach, resetting or removing ACLs strips protections from security tools, logs, or backups so they can be tampered with, and changing ownership can lock the legitimate owner out. These moves often accompany ransomware and anti-forensics, ensuring the operator can read, modify, or destroy targeted data.

Because icacls is a normal administrative tool, the target path and the permission change are what matter. Broad grants to system locations, or ACL resets on defensive files, are very different from an installer setting permissions on its own directory.

Anomaly signals5
  • Image path other than C:\Windows\System32\icacls.exehigh
  • Granting broad rights (Everyone:F, Users:F) to system or sensitive pathshigh
  • Resetting or removing ACLs on security tools, logs, or backupshigh
  • Parent is an Office application, a script host, or an unfamiliar processhigh
  • Run alongside file-hiding, log-clearing, or shadow-deletion commandsmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof icacls.exe?
Edit this page on GitHub