Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
52 lines (42 sloc) 2.96 KB

T1222 - File Permissions Modification

Description from ATT&CK

File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). (Citation: Microsoft DACL May 2018) (Citation: Microsoft File Rights May 2018) (Citation: Unix File Permissions)

Adversaries may modify file permissions/attributes to evade intended DACLs. (Citation: Hybrid Analysis Icacls1 June 2018) (Citation: Hybrid Analysis Icacls2 May 2018) Modifications may include changing specific access rights, which may require taking ownership of a file and/or elevated permissions such as Administrator/root depending on the file's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files. Specific file modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.

How to Detect

Simulating the attack

chmod 766 test1.txt
chmod u+x test1.txt
chmod o-x test1.txt
chown ec2-user:ec2-user test1.txt

Data sources required to detect the attack

auditlogs (audit.rules)

bash_history logs

Splunk Queries to detect the attack


index=linux sourcetype=linux_audit syscall=90 OR syscall=91 OR sycall=268 | table msg,syscall,syscall_name,success,auid,comm,exe
index=linux sourcetype=linux_audit syscall=92 OR syscall=93 OR syscall=94 OR syscall=260 comm!=splunkd | table

Audit Rules:

-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod


index=linux sourcetype="bash_history" bash_command="chmod *" | table host,user_name,bash_command
index=linux sourcetype="bash_history" bash_command="chown *" | table host,user_name,bash_command



These kind of audit rules can be too noisy if not filtered properly. Hence, it is important to understand what is normal in the environment and create the whitelit based on the same to reduce the noise. If you can se, I have already used one filter in the query comm!=splunkd as splunkd keeps on making the systemcall 93 at regular interval, that may be valid/normal in my environment.

Moroever, the splunk queries can be written in multiple ways to catch the same thing. For example, index=linux sourcetype=linux_audit key=perm_mod will give the same results as index=linux sourcetype=linux_audit syscall=90 OR syscall=91 OR sycall=268

You can’t perform that action at this time.