This analytic rule detects the execution of the ICACLS command with the intention of granting additional file or directory access permissions, an action often leveraged by Advanced Persistent Threats (APTs) and malicious scripts like coinminers. The detection relies on telemetry data captured by Endpoint Detection and Response (EDR) agents, focusing on recognized process names (icacls.exe, cacls.exe, xcacls.exe) and specific command-line arguments indicative of permission changes. Such behavior raises concern as it can facilitate unauthorized access or data exfiltration, posing significant risks to system integrity. The rule leverages log data from Sysmon events, Windows event logs, and vendor-specific logs to identify suspicious activity surrounding permissions changes.