Skip to content

Latest commit

 

History

History
52 lines (42 loc) · 2.96 KB

T1222.md

File metadata and controls

52 lines (42 loc) · 2.96 KB
Raw

T1222 - File Permissions Modification

Description from ATT&CK

File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. File DACL implementation may vary by platform, but generally explicitly designate which users/groups can perform which actions (ex: read, write, execute, etc.). (Citation: Microsoft DACL May 2018) (Citation: Microsoft File Rights May 2018) (Citation: Unix File Permissions)

Adversaries may modify file permissions/attributes to evade intended DACLs. (Citation: Hybrid Analysis Icacls1 June 2018) (Citation: Hybrid Analysis Icacls2 May 2018) Modifications may include changing specific access rights, which may require taking ownership of a file and/or elevated permissions such as Administrator/root depending on the file's existing permissions to enable malicious activity such as modifying, replacing, or deleting specific files. Specific file modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Logon Scripts, or tainting/hijacking other instrumental binary/configuration files.

How to Detect

Simulating the attack

chmod 766 test1.txt
chmod u+x test1.txt
chmod o-x test1.txt

chown ec2-user:ec2-user test1.txt

Data sources required to detect the attack

auditlogs (audit.rules)

bash_history logs

Splunk Queries to detect the attack

auditlogs(syscalls)

index=linux sourcetype=linux_audit syscall=90 OR syscall=91 OR sycall=268 | table msg,syscall,syscall_name,success,auid,comm,exe

index=linux sourcetype=linux_audit syscall=92 OR syscall=93 OR syscall=94 OR syscall=260 comm!=splunkd | table
msg,syscall,syscall_name,success,auid,comm,exe

Audit Rules:

-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod
-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod

bash_history

index=linux sourcetype="bash_history" bash_command="chmod *" | table host,user_name,bash_command

index=linux sourcetype="bash_history" bash_command="chown *" | table host,user_name,bash_command

Caution

Note:

These kind of audit rules can be too noisy if not filtered properly. Hence, it is important to understand what is normal in the environment and create the whitelit based on the same to reduce the noise. If you can se, I have already used one filter in the query comm!=splunkd as splunkd keeps on making the systemcall 93 at regular interval, that may be valid/normal in my environment.

Moroever, the splunk queries can be written in multiple ways to catch the same thing. For example, index=linux sourcetype=linux_audit key=perm_mod will give the same results as index=linux sourcetype=linux_audit syscall=90 OR syscall=91 OR sycall=268