The sub-techniques beta is now live! Read the release blog post for more info.

File and Directory Permissions Modification

File and directory permissions are commonly managed by discretionary access control lists (DACLs) specified by the file or directory owner. File and directory DACL implementations may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). [1] [2] [3]

Adversaries may modify file or directory permissions/attributes to evade intended DACLs. [4] [5] Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions such as Administrator/root depending on the file or directory's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files/directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.

ID: T1222
Tactic: Defense Evasion
Platform: Linux, Windows, macOS
Permissions Required: User, Administrator, SYSTEM, root
Data Sources: File monitoring, Process monitoring, Process command-line parameters, Windows event logs
Defense Bypassed: File system access controls
Contributors: CrowdStrike Falcon OverWatch; Jan Miller, CrowdStrike
Version: 2.0
Created: 17 October 2018
Last Modified: 09 July 2019

Procedure Examples

Name Description

APT32's macOS backdoor changes the permission of the file it wants to execute to 755.[9]


JPIN can use the command-line utility cacls.exe to change file permissions.[6]


OSX/Shlayer can use the chmod utility to set a .app file as executable.[8]


WannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls.[7]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Monitor and investigate attempts to modify DACLs and file/directory ownership, such as use of icacls [10], takeown [11], attrib [12], and PowerShell Set-Acl [13] in Windows and chmod [14]/chown [15] in macOS/Linux. Many of these are built-in system utilities and may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. Windows Security Log events (Event ID 4670) are used when DACLs are modified. [16]