This detection rule focuses on monitoring the execution of the 'icacls' command-line utility within Windows systems. The 'icacls' tool is specifically used for viewing and modifying Discretionary Access Control Lists (DACLs) and file permissions on Windows environments. Threat actors, such as the FIN7 group, may exploit this utility to manipulate file permissions, thereby gaining unauthorized access to sensitive files and directories. The rule captures relevant data by identifying process creation events (Event Code 4688) pertaining to 'icacls'. It looks for specific command-line switches that are commonly used to replace permissions, such as '/grant:', '/deny:', '/remove:', '/setintegritylevel:', and '/inheritance:'. The rule uses Splunk's capabilities to extract and present pertinent information about the execution, including timestamp, host, user, executed process, and the specific permissions altered. Furthermore, it enables security teams to act swiftly upon detecting suspicious permission changes, thus enhancing the organization’s defense against potential intrusions.