Skip to content

M1022 Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Item Value
ID M1022
Version 1.1
Created 06 June 2019
Last Modified 20 May 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Addressed by Mitigation

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege.
enterprise T1548.003 Sudo and Sudo Caching The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege.
enterprise T1548.003 Sudo and Sudo Caching The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege.
enterprise T1548.003 Sudo and Sudo Caching The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege.
enterprise T1098 Account Manipulation -
enterprise T1098.004 SSH Authorized Keys Restrict access to the authorized_keys file.
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.003 Time Providers Consider using Group Policy to configure and block additions/modifications to W32Time DLLs. 2
enterprise T1547.013 XDG Autostart Entries Restrict write access to XDG autostart entries to only select privileged users.
enterprise T1037 Boot or Logon Initialization Scripts Restrict write access to logon scripts to specific administrators.
enterprise T1037.002 Login Hook Restrict write access to logon scripts to specific administrators.
enterprise T1037.003 Network Logon Script Restrict write access to logon scripts to specific administrators.
enterprise T1037.004 RC Scripts Limit privileges of user accounts so only authorized users can edit the rc.common file.
enterprise T1037.005 Startup Items Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered.
enterprise T1543 Create or Modify System Process Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services.
enterprise T1543.001 Launch Agent Set group policies to restrict file permissions to the ~/launchagents folder.4
enterprise T1543.002 Systemd Service Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.
enterprise T1530 Data from Cloud Storage Object Use access control lists on storage systems and objects.
enterprise T1565 Data Manipulation Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.
enterprise T1565.001 Stored Data Manipulation Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.
enterprise T1565.003 Runtime Data Manipulation Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code.
enterprise T1546 Event Triggered Execution -
enterprise T1546.004 Unix Shell Configuration Modification Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.
enterprise T1546.013 PowerShell Profile Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.
enterprise T1222 File and Directory Permissions Modification Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.
enterprise T1222.001 Windows File and Directory Permissions Modification Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.
enterprise T1222.002 Linux and Mac File and Directory Permissions Modification Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.
enterprise T1564 Hide Artifacts -
enterprise T1564.004 NTFS File Attributes Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. 1
enterprise T1574 Hijack Execution Flow Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders.
enterprise T1574.004 Dylib Hijacking Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders.
enterprise T1574.007 Path Interception by PATH Environment Variable Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
enterprise T1574.008 Path Interception by Search Order Hijacking Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
enterprise T1574.009 Path Interception by Unquoted Path Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
enterprise T1562 Impair Defenses Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services.
enterprise T1562.001 Disable or Modify Tools Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.
enterprise T1562.002 Disable Windows Event Logging Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at C:\Windows\system32\Winevt\Logs5, have the proper file permissions for limited, legitimate access and audit policies for detection.
enterprise T1562.004 Disable or Modify System Firewall Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.
enterprise T1562.006 Indicator Blocking Ensure event tracers/forwarders 3, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls.
enterprise T1070 Indicator Removal on Host Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
enterprise T1070.001 Clear Windows Event Logs Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
enterprise T1070.002 Clear Linux or Mac System Logs Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.
enterprise T1070.003 Clear Command History Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.
enterprise T1036 Masquerading Use file system access controls to protect folders such as C:\Windows\System32.
enterprise T1036.003 Rename System Utilities Use file system access controls to protect folders such as C:\Windows\System32.
enterprise T1036.005 Match Legitimate Name or Location Use file system access controls to protect folders such as C:\Windows\System32.
enterprise T1556 Modify Authentication Process Restrict write access to the /Library/Security/SecurityAgentPlugins directory.
enterprise T1055 Process Injection -
enterprise T1055.009 Proc Memory Restrict the permissions on sensitive files such as /proc/[pid]/maps or /proc/[pid]/mem.
enterprise T1563 Remote Service Session Hijacking -
enterprise T1563.001 SSH Hijacking Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities.
enterprise T1053 Scheduled Task/Job -
enterprise T1053.006 Systemd Timers Restrict read/write access to systemd .timer unit files to only select privileged users who have a legitimate need to manage system services.
enterprise T1489 Service Stop Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.
enterprise T1553 Subvert Trust Controls -
enterprise T1553.003 SIP and Trust Provider Hijacking Restrict storage and execution of SIP DLLs to protected directories, such as C:\Windows, rather than user directories.
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.002 Control Panel Restrict storage and execution of Control Panel items to protected directories, such as C:\Windows, rather than user directories.
enterprise T1569 System Services Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.
enterprise T1569.002 Service Execution Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.
enterprise T1080 Taint Shared Content Protect shared folders by minimizing users who have write access.
enterprise T1552 Unsecured Credentials Restrict file shares to specific directories with access only to necessary users.
enterprise T1552.001 Credentials In Files Restrict file shares to specific directories with access only to necessary users.
enterprise T1552.004 Private Keys Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access.

References

Back to top