File and Directory Permissions Modification
File and directory permissions are commonly managed by discretionary access control lists (DACLs) specified by the file or directory owner. File and directory DACL implementations may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.).   
Adversaries may modify file or directory permissions/attributes to evade intended DACLs.   Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions such as Administrator/root depending on the file or directory's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files/directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Monitor and investigate attempts to modify DACLs and file/directory ownership, such as use of icacls , takeown , attrib , and PowerShell Set-Acl  in Windows and chmod /chown  in macOS/Linux. Many of these are built-in system utilities and may generate high false positive alerts, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. Windows Security Log events (Event ID 4670) are used when DACLs are modified. 
- Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.
- Microsoft. (2018, May 30). File Security and Access Rights. Retrieved August 19, 2018.
- Tutorials Point. (n.d.). Unix / Linux - File Permission / Access Modes. Retrieved August 19, 2018.
- Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.
- Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
- Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Plett, C. et al.. (2017, October 17). icacls. Retrieved August 19, 2018.
- Plett, C. et al.. (2017, October 15). takeown. Retrieved August 19, 2018.
- Plett, C. et al.. (2017, October 15). attrib. Retrieved August 19, 2018.
- Microsoft. (n.d.). Set-Acl. Retrieved August 19, 2018.
- MacKenzie, D. & Meyering, J. (n.d.). chmod(1) - Linux man page. Retrieved August 19, 2018.
- MacKenzie, D. & Meyering, J. (n.d.). chown(1) - Linux man page. Retrieved August 19, 2018.
- Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018.