T1222.md

T1222 - File Permissions Modification

Description from ATT&CK

File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). (Citation: Microsoft DACL May 2018) (Citation: Microsoft File Rights May 2018) (Citation: Unix File Permissions)

Adversaries may modify file permissions/attributes to evade intended DACLs. (Citation: Hybrid Analysis Icacls1 June 2018) (Citation: Hybrid Analysis Icacls2 May 2018) Modifications may include changing specific access rights, which may require taking ownership of a file and/or elevated permissions such as Administrator/root depending on the file's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files. Specific file modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.

Atomic Tests

• Atomic Test #1 - Take ownership using takeown utility

• Atomic Test #2 - Take ownership recursively using takeown utility

• Atomic Test #3 - cacls - Grant permission to specified user or group

• Atomic Test #4 - cacls - Grant permission to specified user or group recursively

• Atomic Test #5 - icacls - Grant permission to specified user or group

• Atomic Test #6 - icacls - Grant permission to specified user or group recursively

• Atomic Test #7 - attrib - Remove read-only attribute

• Atomic Test #8 - chmod - Change file or folder mode (numeric mode)

• Atomic Test #9 - chmod - Change file or folder mode (symbolic mode)

• Atomic Test #10 - chmod - Change file or folder mode (numeric mode) recursively

• Atomic Test #11 - chmod - Change file or folder mode (symbolic mode) recursively

• Atomic Test #12 - chown - Change file or folder ownership and group

• Atomic Test #13 - chown - Change file or folder ownership and group recursively

• Atomic Test #14 - chown - Change file or folder mode ownership only

• Atomic Test #15 - chown - Change file or folder ownership recursively

• Atomic Test #16 - chattr - Remove immutable file attribute

Atomic Test #1 - Take ownership using takeown utility

Modifies the filesystem permissions of the specified file or folder to take ownership of the object.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
file_folder_to_own	Path of the file or folder for takeown to take ownership.	path	C:\AtomicRedTeam\atomics\T1222\T1222.yaml

Run it with command_prompt!

takeown.exe /f #{file_folder_to_own}

Atomic Test #2 - Take ownership recursively using takeown utility

Modifies the filesystem permissions of the specified folder to take ownership of it and its contents.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
folder_to_own	Path of the folder for takeown to take ownership.	path	C:\AtomicRedTeam\atomics\T1222

Run it with command_prompt!

takeown.exe /f #{folder_to_own} /r

Atomic Test #3 - cacls - Grant permission to specified user or group

Modifies the filesystem permissions of the specified file or folder to allow the specified user or group Full Control.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder to change permissions.	path	C:\AtomicRedTeam\atomics\T1222\T1222.yaml
user_or_group	User or group to allow full control	string	Everyone

Run it with command_prompt!

cacls.exe #{file_or_folder} /grant #{user_or_group}:F

Atomic Test #4 - cacls - Grant permission to specified user or group recursively

Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder to change permissions.	path	C:\AtomicRedTeam\atomics\T1222
user_or_group	User or group to allow full control	string	Everyone

Run it with command_prompt!

cacls.exe #{file_or_folder} /grant #{user_or_group}:F /t

Atomic Test #5 - icacls - Grant permission to specified user or group

Modifies the filesystem permissions of the specified file or folder to allow the specified user or group Full Control.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder to change permissions.	path	C:\AtomicRedTeam\atomics\T1222\T1222.yaml
user_or_group	User or group to allow full control	string	Everyone

Run it with command_prompt!

icacls.exe #{file_or_folder} /grant #{user_or_group}:F

Atomic Test #6 - icacls - Grant permission to specified user or group recursively

Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder to change permissions.	path	C:\AtomicRedTeam\atomics\T1222
user_or_group	User or group to allow full control	string	Everyone

Run it with command_prompt!

icacls.exe #{file_or_folder} /grant #{user_or_group}:F /t

Atomic Test #7 - attrib - Remove read-only attribute

Removes the read-only attribute from a file or folder using the attrib.exe command.

Supported Platforms: Windows

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder remove attribute.	path	C:\AtomicRedTeam\atomics\T1222

Run it with command_prompt!

attrib.exe -r #{file_or_folder}

Atomic Test #8 - chmod - Change file or folder mode (numeric mode)

Changes a file or folder's permissions using chmod and a specified numeric mode.

Supported Platforms: macOS, Linux

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder	path	/tmp/AtomicRedTeam/atomics/T1222
numeric_mode	Specified numeric mode value	string	755

Run it with bash!

chmod #{numeric_mode} #{file_or_folder}

Atomic Test #9 - chmod - Change file or folder mode (symbolic mode)

Changes a file or folder's permissions using chmod and a specified symbolic mode.

Supported Platforms: macOS, Linux

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder	path	/tmp/AtomicRedTeam/atomics/T1222
symbolic_mode	Specified symbolic mode value	string	a+w

Run it with bash!

chmod #{symbolic_mode} #{file_or_folder}

Atomic Test #10 - chmod - Change file or folder mode (numeric mode) recursively

Changes a file or folder's permissions recursively using chmod and a specified numeric mode.

Supported Platforms: macOS, Linux

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder	path	/tmp/AtomicRedTeam/atomics/T1222
numeric_mode	Specified numeric mode value	string	755

Run it with bash!

chmod #{numeric_mode} #{file_or_folder} -R

Atomic Test #11 - chmod - Change file or folder mode (symbolic mode) recursively

Changes a file or folder's permissions recursively using chmod and a specified symbolic mode.

Supported Platforms: macOS, Linux

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder	path	/tmp/AtomicRedTeam/atomics/T1222
symbolic_mode	Specified symbolic mode value	string	a+w

Run it with bash!

chmod #{symbolic_mode} #{file_or_folder} -R

Atomic Test #12 - chown - Change file or folder ownership and group

Changes a file or folder's ownership and group information using chown.

Supported Platforms: macOS, Linux

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder	path	/tmp/AtomicRedTeam/atomics/T1222/T1222.yaml
owner	Username of desired owner	string	root
group	Group name of desired group	string	root

Run it with bash!

chown #{owner}:#{group} #{file_or_folder}

Atomic Test #13 - chown - Change file or folder ownership and group recursively

Changes a file or folder's ownership and group information recursively using chown.

Supported Platforms: macOS, Linux

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder	path	/tmp/AtomicRedTeam/atomics/T1222
owner	Username of desired owner	string	root
group	Group name of desired group	string	root

Run it with bash!

chown #{owner}:#{group} #{file_or_folder} -R

Atomic Test #14 - chown - Change file or folder mode ownership only

Changes a file or folder's ownership only using chown.

Supported Platforms: macOS, Linux

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder	path	/tmp/AtomicRedTeam/atomics/T1222/T1222.yaml
owner	Username of desired owner	string	root

Run it with bash!

chown #{owner} #{file_or_folder}

Atomic Test #15 - chown - Change file or folder ownership recursively

Changes a file or folder's ownership only recursively using chown.

Supported Platforms: macOS, Linux

Inputs

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder	path	/tmp/AtomicRedTeam/atomics/T1222
owner	Username of desired owner	string	root

Run it with bash!

chown #{owner} #{file_or_folder} -R

Atomic Test #16 - chattr - Remove immutable file attribute

Remove's a file's immutable attribute using chattr. This technique was used by the threat actor Rocke during the compromise of Linux web servers.

Supported Platforms: macOS, Linux

Inputs

Name	Description	Type	Default Value
file_to_modify	Path of the file	path	/var/spool/cron/root

Run it with sh!

chattr -i #{file_to_modify}