The sub-techniques beta is now live! Read the release blog post for more info.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

ID: M1022
Version: 1.0
Created: 06 June 2019
Last Modified: 06 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1156 .bash_profile and .bashrc

Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.

Enterprise T1146 Clear Command History

Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history files.

Enterprise T1196 Control Panel Items

Restrict storage and execution of Control Panel items to protected directories, such as C:\Windows, rather than user directories.

Enterprise T1081 Credentials in Files

Restrict file shares to specific directories with access only to necessary users.

Enterprise T1530 Data from Cloud Storage Object

Use access control lists on storage systems and objects.

Enterprise T1089 Disabling Security Tools

Ensure proper process, Registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.

Enterprise T1073 DLL Side-Loading

Install software in write-protected locations.

Enterprise T1157 Dylib Hijacking

Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders.

Enterprise T1054 Indicator Blocking

Ensure event tracers/forwarders, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls.[2]

Enterprise T1070 Indicator Removal on Host

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Enterprise T1037 Logon Scripts

Restrict write access to logon scripts to specific administrators.

Enterprise T1036 Masquerading

Use file system access controls to protect folders such as C:\Windows\System32.

Enterprise T1096 NTFS File Attributes

Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded.

Enterprise T1034 Path Interception

Require that all executables be placed in write-protected directories.

Enterprise T1150 Plist Modification

Prevent plist files from being modified by users by making them read-only.

Enterprise T1504 PowerShell Profile

Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.

Enterprise T1145 Private Keys

Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access.

Enterprise T1494 Runtime Data Manipulation

Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code.

Enterprise T1035 Service Execution

Also ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.

Enterprise T1489 Service Stop

Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.

Enterprise T1051 Shared Webroot

Disable execution on directories within the webroot. Ensure proper permissions on directories that are accessible through a Web server.

Enterprise T1198 SIP and Trust Provider Hijacking

Restrict storage and execution of SIP DLLs to protected directories, such as C:\Windows, rather than user directories.

Enterprise T1184 SSH Hijacking

Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities.

Enterprise T1165 Startup Items

Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered.

Enterprise T1492 Stored Data Manipulation

Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.

Enterprise T1169 Sudo

The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.

Enterprise T1501 Systemd Service

Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.

Enterprise T1080 Taint Shared Content

Protect shared folders by minimizing users who have write access.

Enterprise T1209 Time Providers

Consider using Group Policy to configure and block additions/modifications to W32Time DLLs.[1]

References