This detection rule identifies instances where full control permissions are granted to the Everyone group on a Windows system, a tactic commonly leveraged by adversaries to evade access control lists and gain unauthorized access to protected files and directories. The rule focuses on commands utilizing 'icacls' to modify permissions, specifically searching for occurrences of the '/grant Everyone:F' command. The detection logic employs Sysmon event logs to trace these permission changes, gathering relevant details about the time of the event, the host involved, the user executing the command, as well as parent and process information. This behavior is notably associated with the Ryuk ransomware, linked to threat actor group UNC5812, which targets Windows environments through permission manipulation. By leveraging built-in Windows commands, malicious actors may aim to facilitate further exploits or data exfiltration, underlining the importance of monitoring and alerting on such permission modifications.