This analytic detection rule targets the use of the ICACLS command-line utility to remove permission inheritance from files or directories. By monitoring the invocation of ICACLS with the '/inheritance:r' flag, this rule identifies instances where an administrator may strip inherited permissions while potentially leaving or altering explicit permissions. The removal of permission inheritance can be a legitimate administrative task; however, it may also signal an attempt to obscure malicious actions or to bypass existing security controls on the system. The detection relies on specific event logs from Sysmon (EventID 1) and Windows Event Log (Security 4688) to track this potentially risky behavior.