Detect File and Directory Permissions Modification
File and directory permissions are commonly managed by discretionary access control lists (DACLs) specified by the file or directory owner. File and directory DACL implementations may vary by platform, but generally, they are explicitly designated so that users/groups can perform actions ie. read, write, execute, etc.
Adversaries may modify file or directory permissions/attributes to evade intended DACLs. Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions such as Administrator/root depending on the file or directory’s existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files/directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.
ID: T1222
Tactic: Defense Evasion
Platform: Linux, macOS, Windows
Permissions Required: Administrator, SYSTEM, User, root
Data Sources: File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Defense Bypassed: File system access controls
Detecting File and Directory Permissions Procedure Examples
APT32 : APT32’s macOS backdoor changes the permission of the file it wants to execute to 755.
JPIN : JPIN can use the command-line utility cacls.exe to change file permissions.
OSX/Shlayer : OSX/Shlayer can use the chmod utility to set a .app file as executable.
WannaCry : WannaCry uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls.
Mitigation
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
Detection
Monitor and investigate attempts to modify DACLs and file/directory ownership, such as the use of icacls, takedown, attrib, and PowerShell Set-Acl in Windows and chmod /chown in macOS/Linux. Many of these are built-in system utilities and may generate high false-positive alerts, so compare to baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
Consider enabling file/directory permission change auditing on folders containing key binary/configuration files. Windows Security Log events (Event ID 4670) are used when DACLs are modified.
You can also check out other free Splunk detection rules on our blog.
The resource of File and Directory Permissions Modification:
index=windows source=”WinEventLog:Microsoft-Windows-Sysmon/Operational” (EventCode=1 Image IN (“*\\icacls.exe” , “*\\takeown.exe” , “*\\attrib.exe”)) OR (EventCode=1 CommandLine=”*/grant*”) //File and Folder permission modification
