Home
ATT&CK Techniques
T1222 File and Directory Permissions Modification

T1222 File and Directory Permissions Modification

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, Unix Shell Configuration Modification, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.

Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
PR.AA-05.02	Privileged system access	Mitigates	T1222	File and Directory Permissions Modification	Comments This diagnostic statement protects against File and Directory Permissions Modification through the use of privileged account management and the use of multi-factor authentication. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1222	File and Directory Permissions Modification
CM-06	Configuration Settings	mitigates	T1222	File and Directory Permissions Modification
CM-05	Access Restrictions for Change	mitigates	T1222	File and Directory Permissions Modification
SI-07	Software, Firmware, and Information Integrity	mitigates	T1222	File and Directory Permissions Modification
AC-16	Security and Privacy Attributes	mitigates	T1222	File and Directory Permissions Modification
IA-02	Identification and Authentication (Organizational Users)	mitigates	T1222	File and Directory Permissions Modification
SI-04	System Monitoring	mitigates	T1222	File and Directory Permissions Modification
AC-02	Account Management	mitigates	T1222	File and Directory Permissions Modification
AC-03	Access Enforcement	mitigates	T1222	File and Directory Permissions Modification
AC-05	Separation of Duties	mitigates	T1222	File and Directory Permissions Modification
AC-06	Least Privilege	mitigates	T1222	File and Directory Permissions Modification

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
action.malware.variety.Password dumper	Password dumper (extract credential hashes)	related-to	T1222	File and Directory Permissions Modification
action.malware.variety.RAM scraper	RAM scraper or memory parser (capture data from volatile memory)	related-to	T1222	File and Directory Permissions Modification
attribute.confidentiality.data_disclosure	None	related-to	T1222	File and Directory Permissions Modification
action.malware.variety.Disable controls	Disable or interfere with security controls	related-to	T1222	File and Directory Permissions Modification

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
file_integrity_monitoring	Microsoft Defender for Cloud: File Integrity Monitoring	technique_scores	T1222	File and Directory Permissions Modification	Comments This control can detect file and directory permissions modification. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview
ai_security_recommendations	Microsoft Defender for Cloud: AI Security Recommendations	technique_scores	T1222	File and Directory Permissions Modification	Comments This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-ai
alerts_for_windows_machines	Alerts for Windows Machines	technique_scores	T1222	File and Directory Permissions Modification	Comments This control provides minimal detection for some of this technique's sub-techniques resulting in an overall score of Minimal. References https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines

GCP Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
policy_intelligence	Policy Intelligence	technique_scores	T1222	File and Directory Permissions Modification	Comments Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. Enforcing the principle of least privilege through Policy Intelligence role recommendations generated by IAM Recommender help admins identify and remove excess permissions from users' principals, improving their resources' security configurations. References ['https://cloud.google.com/policy-intelligence']

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
amazon_inspector	Amazon Inspector	technique_scores	T1222	File and Directory Permissions Modification	Comments The Amazon Inspector Best Practices assessment package can assess security control "Configure permissions for system directories" that prevents privilege escalation by local users and ensures only the root account can modify/execute system configuration information and binaries. Amazon Inspector does not directly protect against system modifications rather it just checks to see if security controls are in place which can inform decisions around hardening the system. Due to this and the fact the security control is only supported for Linux platforms, the score is Minimal. References https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1222.002	Linux and Mac File and Directory Permissions Modification	18
T1222.001	Windows File and Directory Permissions Modification	15