Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0834: Analytic 0834

Sequential behavioral chain of privilege escalation through permission modification: (1) Process creation of permission-modifying utilities (icacls, takeown, attrib, cacls), (2) Correlation with unusual user context or timing, (3) DACL modification events targeting sensitive files/directories, (4) Subsequent file access or modification attempts indicating successful privilege bypass

EnterpriseAN0834AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because it looks for a Windows behavior chain where permissions are changed on files or directories and then access is attempted afterward. For leaders, the value is not the individual use of tools like icacls or takeown, which may be legitimate, but whether the organization can recognize a suspicious sequence that could indicate a privilege boundary being bypassed around sensitive data or system paths.

Executive priority

Prioritize this as a validation point for Windows monitoring, least-privilege governance, and incident response readiness. Security leaders should ask whether sensitive file and directory permissions are monitored, whether unusual permission changes can be tied back to the user and process that made them, and whether SOC teams can distinguish approved administrative maintenance from suspicious after-hours or unusual-user activity. This can also support audit evidence around access control monitoring, but local policy and logging configuration will determine how strong that evidence is.

Technical view

For SOC and detection engineering teams, validate coverage for the described sequence: process creation of Windows permission-modifying utilities such as icacls, takeown, attrib, and cacls; correlation with unusual user context or timing; DACL modification events against sensitive files or directories; and subsequent file access or modification attempts. Because no ATT&CK tactic is specified and no formal detection logic is supplied, implementation should be environment-specific and focused on chaining events rather than alerting on utility execution alone.

Likely telemetry

  • Windows process creation telemetry showing command execution and parent-child process context
  • User identity and logon context associated with the process and file activity
  • File or directory permission change events, especially DACL modifications
  • File access or modification events following permission changes
  • Asset or path context identifying sensitive files and directories

Detection direction

  • Build correlation around the full behavioral chain rather than single-event matches on icacls, takeown, attrib, or cacls.
  • Define what counts as sensitive files and directories in the local Windows environment; the analytic depends on knowing which paths matter.
  • Tune for administrative false positives, including maintenance windows, software deployment activity, backup operations, and authorized access-control changes.
  • Correlate permission changes with unusual user context or timing where available, since the official description explicitly includes that factor.
  • Validate that DACL modification telemetry and subsequent file access telemetry are retained long enough to link the events.

Mitigation priorities

  • Start with least-privilege review for accounts allowed to modify permissions on sensitive Windows files and directories.
  • Harden and document change-control processes for legitimate permission modifications.
  • Enable and validate appropriate Windows auditing for sensitive path permission changes and follow-on access where operationally feasible.
  • Use incident response runbooks that preserve process, user, file permission, and access evidence when this sequence is observed.
  • Review monitoring exceptions regularly so authorized administrative tooling does not create permanent detection blind spots.
Analyst notes and limits

This object is a detection analytic, not a technique description. The supplied ATT&CK fields identify Windows as the platform and describe a sequential behavioral chain involving permission-modifying utilities, DACL changes, and follow-on file activity. No relationship context, tactic mapping, or official detection logic was supplied, so the strongest use is as a detection validation and telemetry coverage checklist.

The official detection field is not provided, tactics are not specified, and no related techniques, groups, software, mitigations, or data components were supplied. Any severity, coverage assessment, or business exposure determination requires local evidence such as Windows audit policy, sensitive path inventory, administrative change procedures, and SOC alert performance.

Official MITRE ATT&CK definition

Analytic 0834

Sequential behavioral chain of privilege escalation through permission modification: (1) Process creation of permission-modifying utilities (icacls, takeown, attrib, cacls), (2) Correlation with unusual user context or timing, (3) DACL modification events targeting sensitive files/directories, (4) Subsequent file access or modification attempts indicating successful privilege bypass

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a78595f06419a251...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a78595f06419…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0834
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use