Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

ID: M1022
Version: 1.1
Created: 06 June 2019
Last Modified: 20 May 2020

Techniques Addressed by Mitigation

Domain ID Name Use
Enterprise T1548 Abuse Elevation Control Mechanism

The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.

.003 Sudo and Sudo Caching

The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.

.006 TCC Manipulation

When using an MDM, ensure the permissions granted are specific to the requirements of the binary. Full Disk Access should be restricted to only necessary binaries in alignment with policy.

Enterprise T1098 Account Manipulation

Restrict access to potentially sensitive files that deal with authentication and/or authorization.

.004 SSH Authorized Keys

Restrict access to the authorized_keys file.

Enterprise T1547 .003 Boot or Logon Autostart Execution: Time Providers

Consider using Group Policy to configure and block additions/modifications to W32Time DLLs. [1]

.009 Boot or Logon Autostart Execution: Shortcut Modification

Applying strict permissions to directories where shortcuts are stored, such as the startup folder, can prevent unauthorized modifications.

.013 Boot or Logon Autostart Execution: XDG Autostart Entries

Restrict write access to XDG autostart entries to only select privileged users.

Enterprise T1037 Boot or Logon Initialization Scripts

Restrict write access to logon scripts to specific administrators.

.002 Login Hook

Restrict write access to logon scripts to specific administrators.

.003 Network Logon Script

Restrict write access to logon scripts to specific administrators.

.004 RC Scripts

Limit privileges of user accounts so only authorized users can edit the rc.common file.

.005 Startup Items

Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered.

Enterprise T1543 Create or Modify System Process

Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services.

.001 Launch Agent

Set group policies to restrict file permissions to the ~/launchagents folder.[2]

.002 Systemd Service

Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.

Enterprise T1530 Data from Cloud Storage

Use access control lists on storage systems and objects.

Enterprise T1565 Data Manipulation

Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.

.001 Stored Data Manipulation

Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.

.003 Runtime Data Manipulation

Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code.

Enterprise T1546 .004 Event Triggered Execution: Unix Shell Configuration Modification

Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.

.013 Event Triggered Execution: PowerShell Profile

Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.

Enterprise T1048 Exfiltration Over Alternative Protocol

Use access control lists on cloud storage systems and objects.

Enterprise T1222 File and Directory Permissions Modification

Applying more restrictive permissions to files and directories could prevent adversaries from modifying their access control lists. Additionally, ensure that user settings regarding local and remote symbolic links are properly set or disabled where unneeded.[3]

.001 Windows File and Directory Permissions Modification

Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.

.002 Linux and Mac File and Directory Permissions Modification

Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.

Enterprise T1564 .004 Hide Artifacts: NTFS File Attributes

Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. [4]

Enterprise T1574 Hijack Execution Flow

Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders.

.004 Dylib Hijacking

Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders.

.007 Path Interception by PATH Environment Variable

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.

.008 Path Interception by Search Order Hijacking

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.

.009 Path Interception by Unquoted Path

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.

.014 AppDomainManager

Install .NET applications and related software in write-protected locations. Set directory access controls to prevent file writes to the search paths for .NET applications, both in the folders where applications are run from and the standard resources folders.

Enterprise T1562 Impair Defenses

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.

.001 Disable or Modify Tools

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.

.002 Disable Windows Event Logging

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at C:\Windows\system32\Winevt\Logs[5], have the proper file permissions for limited, legitimate access and audit policies for detection.

.004 Disable or Modify System Firewall

Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.

.006 Indicator Blocking

Ensure event tracers/forwarders [6], firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls.

Enterprise T1070 Indicator Removal

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

.001 Clear Windows Event Logs

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

.002 Clear Linux or Mac System Logs

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

.003 Clear Command History

Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.

.008 Clear Mailbox Data

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

.009 Clear Persistence

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Enterprise T1036 Masquerading

Use file system access controls to protect folders such as C:\Windows\System32.

.003 Rename System Utilities

Use file system access controls to protect folders such as C:\Windows\System32.

.005 Match Legitimate Name or Location

Use file system access controls to protect folders such as C:\Windows\System32.

Enterprise T1556 Modify Authentication Process

Restrict write access to the /Library/Security/SecurityAgentPlugins directory.

Enterprise T1055 .009 Process Injection: Proc Memory

Restrict the permissions on sensitive files such as /proc/[pid]/maps or /proc/[pid]/mem.

Enterprise T1563 .001 Remote Service Session Hijacking: SSH Hijacking

Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities.

Enterprise T1053 Scheduled Task/Job

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

.006 Systemd Timers

Restrict read/write access to systemd .timer unit files to only select privileged users who have a legitimate need to manage system services.

Enterprise T1489 Service Stop

Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.

Enterprise T1553 .003 Subvert Trust Controls: SIP and Trust Provider Hijacking

Restrict storage and execution of SIP DLLs to protected directories, such as C:\Windows, rather than user directories.

Enterprise T1218 .002 System Binary Proxy Execution: Control Panel

Restrict storage and execution of Control Panel items to protected directories, such as C:\Windows, rather than user directories.

Enterprise T1569 System Services

Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.

.002 Service Execution

Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.

Enterprise T1080 Taint Shared Content

Protect shared folders by minimizing users who have write access.

Enterprise T1552 Unsecured Credentials

Restrict file shares to specific directories with access only to necessary users.

.001 Credentials In Files

Restrict file shares to specific directories with access only to necessary users.

.004 Private Keys

Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the nonexportable flag during RSA key pair generation.[7]

References