Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

File Permissions Modification

File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). [1] [2] [3]

Adversaries may modify file permissions/attributes to evade intended DACLs. [4] [5] Modifications may include changing specific access rights, which may require taking ownership of a file and/or elevated permissions such as Administrator/root depending on the file's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files. Specific file modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.

ID: T1222

Tactic: Defense Evasion

Platform:  Linux, Windows, macOS

Permissions Required:  User, Administrator, SYSTEM, root

Data Sources:  File monitoring, Process monitoring, Process command-line parameters, Windows event logs

Defense Bypassed:  File system access controls

Contributors:  Jan Miller, CrowdStrike

Version: 1.0

Examples

NameDescription
JPIN

JPIN can use the command-line utility cacls.exe to change file permissions.[6]

Mitigation

This type of technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.

Detection

Monitor and investigate attempts to modify DACLs and file ownership, such as use of icacls [7], takeown [8], attrib [9], and PowerShell Set-Acl [10] in Windows and chmod [11]/chown [12] in macOS/Linux. Many of these are built-in system utilities and may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Consider enabling file permission change auditing on folders containing key binary/configuration files. Windows Security Log events (Event ID 4670) are used when DACLs are modified. [13]

References