[Mal Series #18] icacls.exe — Access denied or granted?

2 min readApr 3, 2021


What is the capability of icalcs 🤔 and how does the malware 😈 abuse it during their operation.

Based on ss64.com, it is capable of:

Change file and folder permissions — display or modify Access Control Lists (ACLs) for files and folders.
iCACLS resolves various issues that occur when using the older CACLS & XCACLS

Some of the common icacls parameter that malware used are /deny and /grant. Sometimes, malware abuses takeown (Used to take ownership of a file) and icacls /reset execution combo to get access of certain service.

As what I found, malware will execute icalcs to
- Prevent file itself from removal.
- Getting full access to certain file/folder to ensure no issue occur during encryption process.
- Change access privilege of certain user group to a file/folder.
- Gain access of certain services.

Prevent file delete (e.g STOP Ransom)

icalcs <file> /deny s-1–1–0:(IO)(CI)(DE,DC)

Prevent any issue occur during the encrypt process. (e.g. WannaCry & REvil)

icacls "C:\*" /grant Everyone:F /T /C /Q

Malware Stealer (Possible Ave Maria loader)

icacls "C:\ProgramData\{S91RLWPZ-SX2K-ISZN-IG1O-726R3DHAEBYB}" /inheritance:e /deny “Users:(R,REA,RA,RD)”

There are a few similar icacls process executed to deny the access of certain user group to that folder.

Take control of service (e.g. BitPaymer)

takeown.exe /F <service_name>
icacls.exe <service_name> /reset

Make sure the file can be run under higher privilege user group (e.g.ServHelper)

takeown.exe /A /F rfxvmt.dll
icacls.exe rfxvmt.dll /inheritance:d
icacls.exe rfxvmt.dll /setowner “NT SERVICE\TrustedInstaller”
icacls.exe rfxvmt.dll /grant “NT SERVICE\TrustedInstaller:F”

icacls.exe rfxvmt.dll /remove “NT AUTHORITY\SYSTEM”
icacls.exe rfxvmt.dll /grant “NT AUTHORITY\SYSTEM:RX”

Remove access to SmartScreen (Full script, used in one of REvil operation)

icacls “%systemroot%\System32\smartscreen.exe” /inheritance:r /remove *S-1–5–32–544 *S-1–5–11 *S-1–5–32–545 *S-1–5–18

SID to user type name (Full list -> here)

  • S-1-1-0 Everyone
  • S-1-5-32-544 Administrators
  • S-1-5-11 Authenticated Users
  • S-1-5-32-545 Users
  • S-1-5-18 Local System