File and Directory Permissions Modification

File and directory permissions are commonly managed by discretionary access control lists (DACLs) specified by the file or directory owner. File and directory DACL implementations may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). [1] [2] [3]

Adversaries may modify file or directory permissions/attributes to evade intended DACLs. [4] [5] Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions such as Administrator/root depending on the file or directory's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files/directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.

ID: T1222
Tactic: Defense Evasion
Platform: Linux, Windows, macOS
Permissions Required: User, Administrator, SYSTEM, root
Data Sources: File monitoring, Process monitoring, Process command-line parameters, Windows event logs
Defense Bypassed: File system access controls
Contributors: CrowdStrike Falcon OverWatch; Jan Miller, CrowdStrike
Version: 2.0

Procedure Examples

Name Description
APT32

APT32's macOS backdoor changes the permission of the file it wants to execute to 755.[9]

JPIN

JPIN can use the command-line utility cacls.exe to change file permissions.[6]

OSX/Shlayer

OSX/Shlayer can use the chmod utility to set a .app file as executable.[8]

WannaCry

WannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls.[7]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor and investigate attempts to modify DACLs and file/directory ownership, such as use of icacls [10], takeown [11], attrib [12], and PowerShell Set-Acl [13] in Windows and chmod [14]/chown [15] in macOS/Linux. Many of these are built-in system utilities and may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. Windows Security Log events (Event ID 4670) are used when DACLs are modified. [16]

References