This detection rule identifies modifications of file and directory access permissions made using tools such as icacls.exe, cacls.exe, or xcacls.exe. These alterations are often employed by Advanced Persistent Threats (APTs) and malicious scripts, such as coinminers, seeking to avoid detection and maintain control over compromised systems. The rule leverages data from various sources including Sysmon and Windows Event Logs, focusing on specific command lines indicative of permission changes. Changes to access rights can significantly hinder investigation processes and enable attackers to maintain persistent access to a system. Security analysts implementing this detection should ensure the ingestion of relevant logs while considering the potential for false positives from legitimate administrative use of ICacls.