Home
ATT&CK Techniques
T1222 File and Directory Permissions Modification

T1222 File and Directory Permissions Modification Mappings

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, .bash_profile and .bashrc, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
AC-16	Security and Privacy Attributes	Protects	T1222	File and Directory Permissions Modification
AC-2	Account Management	Protects	T1222	File and Directory Permissions Modification
AC-3	Access Enforcement	Protects	T1222	File and Directory Permissions Modification
AC-5	Separation of Duties	Protects	T1222	File and Directory Permissions Modification
AC-6	Least Privilege	Protects	T1222	File and Directory Permissions Modification
CA-7	Continuous Monitoring	Protects	T1222	File and Directory Permissions Modification
CM-5	Access Restrictions for Change	Protects	T1222	File and Directory Permissions Modification
CM-6	Configuration Settings	Protects	T1222	File and Directory Permissions Modification
IA-2	Identification and Authentication (organizational Users)	Protects	T1222	File and Directory Permissions Modification
SI-4	System Monitoring	Protects	T1222	File and Directory Permissions Modification
SI-7	Software, Firmware, and Information Integrity	Protects	T1222	File and Directory Permissions Modification

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
alerts_for_windows_machines	Alerts for Windows Machines	technique_scores	T1222	File and Directory Permissions Modification	Comments This control provides minimal detection for some of this technique's sub-techniques resulting in an overall score of Minimal. References https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows
azure_security_center_recommendations	Azure Security Center Recommendations	technique_scores	T1222	File and Directory Permissions Modification	Comments This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can mitigate a sub-technique of this technique. Due to its Minimal coverage, its score is assessed as Minimal. References https://docs.microsoft.com/en-us/azure/security-center/recommendations-reference https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction
file_integrity_monitoring	File Integrity Monitoring	technique_scores	T1222	File and Directory Permissions Modification	Comments References https://docs.microsoft.com/en-us/azure/security-center/security-center-file-integrity-monitoring

ATT&CK Subtechniques

Technique ID	Technique Name	Number of Mappings
T1222.002	Linux and Mac File and Directory Permissions Modification	13
T1222.001	Windows File and Directory Permissions Modification	13