T1222.001: Windows File and Directory Permissions Modification
| View on MITRE ATT&CK | T1222.001 |
|---|---|
| Tactic(s) | Defense Evasion |
Data from MITRE ATT&CK®:
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)
Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.
© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.
Cyber Threat Graph Context
Explore how this ATT&CK Technique relates to the wider threat graph
Reporting on this Technique
APT40 Advisory - PRC MSS tradecraft in action
This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...
Mitigations for this technique
MITRE ATT&CK Mitigations
Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.How to detect this technique
MITRE ATT&CK Data Components
File Metadata (File)
Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.Command Execution (Command)
The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )Process Creation (Process)
The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)Active Directory Object Modification (Active Directory)
Changes made to an active directory object (ex: Windows EID 5163 or 5136)Control Validation Tests for this Technique
Use Atomic Red Team tests to test your defenses against this technique.
Sigma Detections for this Technique
SP800-53 Controls
See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.