This analytic aims to detect instances wherein file or folder permissions are modified to grant read-only access on Windows environments. The rule specifically looks for events characterized by the presence of read-related permissions (such as R, REA, RA, RD) while ensuring that write (W) or execute (E) permissions are absent. Such modifications can be regular administrative actions or an indication of potential malicious behavior, particularly if unauthorized changes are made. By tracking these permission changes, organizations can better monitor access control adjustments that may restrict access to sensitive data, helping ensure that legitimate security measures are enforced and any unauthorized changes investigated promptly. The detection leverages Sysmon EventID 1 and Windows Event Log Security 4688 as its data sources, focusing on specific processes (e.g., icacls.exe) associated with permission management, and looks for specific patterns in the resulting events to generate alerts.