File Permissions Modification
File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.).   
Adversaries may modify file permissions/attributes to evade intended DACLs.   Modifications may include changing specific access rights, which may require taking ownership of a file and/or elevated permissions such as Administrator/root depending on the file's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files. Specific file modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
|APT32||APT32's macOS backdoor changes the permission of the file it wants to execute to 755. |
|JPIN||JPIN can use the command-line utility cacls.exe to change file permissions. |
Monitor and investigate attempts to modify DACLs and file ownership, such as use of icacls , takeown , attrib , and PowerShell Set-Acl  in Windows and chmod /chown  in macOS/Linux. Many of these are built-in system utilities and may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
Consider enabling file permission change auditing on folders containing key binary/configuration files. Windows Security Log events (Event ID 4670) are used when DACLs are modified. 
- Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.
- Microsoft. (2018, May 30). File Security and Access Rights. Retrieved August 19, 2018.
- Tutorials Point. (n.d.). Unix / Linux - File Permission / Access Modes. Retrieved August 19, 2018.
- Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.
- Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Plett, C. et al.. (2017, October 17). icacls. Retrieved August 19, 2018.
- Plett, C. et al.. (2017, October 15). takeown. Retrieved August 19, 2018.
- Plett, C. et al.. (2017, October 15). attrib. Retrieved August 19, 2018.
- Microsoft. (n.d.). Set-Acl. Retrieved August 19, 2018.
- MacKenzie, D. & Meyering, J. (n.d.). chmod(1) - Linux man page. Retrieved August 19, 2018.
- MacKenzie, D. & Meyering, J. (n.d.). chown(1) - Linux man page. Retrieved August 19, 2018.
- Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.