T1222.002: Linux and Mac File and Directory Permissions Modification

Data from MITRE ATT&CK®:

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).

Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Unix Shell Configuration Modification or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.(Citation: 20 macOS Common Tools and Techniques)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

File Metadata (File)

Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Chmod through c script (freebsd)

linux

Chmod through c script

macos linux

chmod - Change file or folder mode (numeric mode)

linux macos

chmod - Change file or folder mode (numeric mode) recursively

linux macos

chflags - Remove immutable file attribute

linux

chmod - Change file or folder mode (symbolic mode) recursively

linux macos

chown - Change file or folder mode ownership only

linux macos

chown - Change file or folder ownership and group recursively

macos linux

chattr - Remove immutable file attribute

macos linux

Chown through c script (freebsd)

linux

chown - Change file or folder ownership and group

macos linux

Chown through c script

macos linux

chmod - Change file or folder mode (symbolic mode)

linux macos

chown - Change file or folder ownership recursively

macos linux

Chmod Suspicious Directory

linux process creation

File or Folder Permissions Change

linux

Remove Immutable File Attribute

linux process creation

Remove Immutable File Attribute - Auditd

linux