Using cacls (or similar) for Permission Changes

  • Description: This involves using command-line utilities to directly modify the Access Control Lists (ACLs) – the permissions – associated with files or folders. While cacls is an older command, the more modern and powerful icacls serves the same purpose, alongside PowerShell cmdlets like Get-Acl and Set-Acl.

  • Mechanism: Bypassers execute specific commands to grant or (more commonly) deny permissions for certain users or system accounts on target objects.

    • Classic Example (Prefetch Bypass): A well-known technique involves modifying the permissions of the C:\Windows\Prefetch folder. By using icacls to deny write permissions for the SYSTEM account or specific service accounts (like SysMain), the bypasser prevents the operating system from creating new .pf files or updating existing ones. The folder remains visible, but the logging mechanism is silently broken. Commands might look like: icacls C:\Windows\Prefetch /deny SYSTEM:(WD) (Deny Write Data) or similar variations.

    • Hiding Folders: Denying the ScreenSharer's user account (or the Users group) "List folder contents" or "Read" permissions on a specific folder can effectively hide it from them in File Explorer, even if hidden files are set to be shown.

  • Why Cheaters Use It: To selectively disable logging artifacts (like Prefetch) without stopping the underlying service, or to hide folders containing cheats/tools from direct browsing during the screenshare.

  • Detection:

    • Check Security Settings: Manually inspect the permissions of suspect folders (especially C:\Windows\Prefetch) or files. Right-click -> Properties -> Security tab -> Advanced. Look for explicit "Deny" entries, missing expected permissions (like SYSTEM write access on Prefetch), or unusual ownership.

    • USN Journal ($UsnJrnl): Changes to file or folder permissions trigger a SECURITY_CHANGE event in the USN Journal, logged against the path of the modified object. Finding recent SECURITY_CHANGE events for critical artifact locations like C:\Windows\Prefetch is highly indicative of tampering.

    • Command Logs: Look for execution of icacls.exe, cacls.exe, or relevant PowerShell commands (Set-Acl) in Prefetch, BAM, or command history logs.

PreviousPermission and Inheritance ModificationNextDisabling Registry/Folder Inheritance

Last updated