Register to stream ATT&CKcon 2.0 October 29-30

File Permissions Modification

File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). [1] [2] [3]

Adversaries may modify file permissions/attributes to evade intended DACLs. [4] [5] Modifications may include changing specific access rights, which may require taking ownership of a file and/or elevated permissions such as Administrator/root depending on the file's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files. Specific file modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.

ID: T1222
Tactic: Defense Evasion
Platform: Linux, Windows, macOS
Permissions Required: User, Administrator, SYSTEM, root
Data Sources: File monitoring, Process monitoring, Process command-line parameters, Windows event logs
Defense Bypassed: File system access controls
Contributors: Jan Miller, CrowdStrike
Version: 1.0

Procedure Examples

Name Description
APT32 APT32's macOS backdoor changes the permission of the file it wants to execute to 755. [8]
JPIN JPIN can use the command-line utility cacls.exe to change file permissions. [6]
WannaCry WannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls. [7]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Monitor and investigate attempts to modify DACLs and file ownership, such as use of icacls [9], takeown [10], attrib [11], and PowerShell Set-Acl [12] in Windows and chmod [13]/chown [14] in macOS/Linux. Many of these are built-in system utilities and may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Consider enabling file permission change auditing on folders containing key binary/configuration files. Windows Security Log events (Event ID 4670) are used when DACLs are modified. [15]

References