T1222 - File Permissions Modification
File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). (Citation: Microsoft DACL May 2018) (Citation: Microsoft File Rights May 2018) (Citation: Unix File Permissions)
Adversaries may modify file permissions/attributes to evade intended DACLs. (Citation: Hybrid Analysis Icacls1 June 2018) (Citation: Hybrid Analysis Icacls2 May 2018) Modifications may include changing specific access rights, which may require taking ownership of a file and/or elevated permissions such as Administrator/root depending on the file's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files. Specific file modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.
How to Detect
Simulating the attack
chmod 766 test1.txt chmod u+x test1.txt chmod o-x test1.txt
chown ec2-user:ec2-user test1.txt
Data sources required to detect the attack
Splunk Queries to detect the attack
index=linux sourcetype=linux_audit syscall=90 OR syscall=91 OR sycall=268 | table msg,syscall,syscall_name,success,auid,comm,exe
index=linux sourcetype=linux_audit syscall=92 OR syscall=93 OR syscall=94 OR syscall=260 comm!=splunkd | table msg,syscall,syscall_name,success,auid,comm,exe
-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod
index=linux sourcetype="bash_history" bash_command="chmod *" | table host,user_name,bash_command
index=linux sourcetype="bash_history" bash_command="chown *" | table host,user_name,bash_command
These kind of audit rules can be too noisy if not filtered properly. Hence, it is important to understand what is normal in the environment and create the whitelit based on the same to reduce the noise. If you can se, I have already used one filter in the query comm!=splunkd as splunkd keeps on making the systemcall 93 at regular interval, that may be valid/normal in my environment.
Moroever, the splunk queries can be written in multiple ways to catch the same thing. For example, index=linux sourcetype=linux_audit key=perm_mod will give the same results as index=linux sourcetype=linux_audit syscall=90 OR syscall=91 OR sycall=268