M1022 Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
| Item | Value |
|---|---|
| ID | M1022 |
| Version | 1.1 |
| Created | 06 June 2019 |
| Last Modified | 20 May 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Addressed by Mitigation
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege. |
| enterprise | T1548.003 | Sudo and Sudo Caching | The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege. |
| enterprise | T1098 | Account Manipulation | - |
| enterprise | T1098.004 | SSH Authorized Keys | Restrict access to the authorized_keys file. |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.003 | Time Providers | Consider using Group Policy to configure and block additions/modifications to W32Time DLLs. 1 |
| enterprise | T1547.013 | XDG Autostart Entries | Restrict write access to XDG autostart entries to only select privileged users. |
| enterprise | T1037 | Boot or Logon Initialization Scripts | Restrict write access to logon scripts to specific administrators. |
| enterprise | T1037.002 | Login Hook | Restrict write access to logon scripts to specific administrators. |
| enterprise | T1037.003 | Network Logon Script | Restrict write access to logon scripts to specific administrators. |
| enterprise | T1037.004 | RC Scripts | Limit privileges of user accounts so only authorized users can edit the rc.common file. |
| enterprise | T1037.005 | Startup Items | Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered. |
| enterprise | T1543 | Create or Modify System Process | Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services. |
| enterprise | T1543.001 | Launch Agent | Set group policies to restrict file permissions to the ~/launchagents folder.6 |
| enterprise | T1543.002 | Systemd Service | Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. |
| enterprise | T1530 | Data from Cloud Storage | Use access control lists on storage systems and objects. |
| enterprise | T1565 | Data Manipulation | Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. |
| enterprise | T1565.001 | Stored Data Manipulation | Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. |
| enterprise | T1565.003 | Runtime Data Manipulation | Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.004 | Unix Shell Configuration Modification | Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence. |
| enterprise | T1546.013 | PowerShell Profile | Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence. |
| enterprise | T1048 | Exfiltration Over Alternative Protocol | Use access control lists on cloud storage systems and objects. |
| enterprise | T1222 | File and Directory Permissions Modification | Applying more restrictive permissions to files and directories could prevent adversaries from modifying their access control lists. Additionally, ensure that user settings regarding local and remote symbolic links are properly set or disabled where unneeded.7 |
| enterprise | T1222.001 | Windows File and Directory Permissions Modification | Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists. |
| enterprise | T1222.002 | Linux and Mac File and Directory Permissions Modification | Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists. |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.004 | NTFS File Attributes | Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. 2 |
| enterprise | T1574 | Hijack Execution Flow | Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders. |
| enterprise | T1574.004 | Dylib Hijacking | Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders. |
| enterprise | T1574.007 | Path Interception by PATH Environment Variable | Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories. |
| enterprise | T1574.008 | Path Interception by Search Order Hijacking | Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories. |
| enterprise | T1574.009 | Path Interception by Unquoted Path | Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories. |
| enterprise | T1562 | Impair Defenses | Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
| enterprise | T1562.001 | Disable or Modify Tools | Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services. |
| enterprise | T1562.002 | Disable Windows Event Logging | Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at C:\Windows\system32\Winevt\Logs4, have the proper file permissions for limited, legitimate access and audit policies for detection. |
| enterprise | T1562.004 | Disable or Modify System Firewall | Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
| enterprise | T1562.006 | Indicator Blocking | Ensure event tracers/forwarders 3, firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. |
| enterprise | T1070 | Indicator Removal | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| enterprise | T1070.001 | Clear Windows Event Logs | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| enterprise | T1070.002 | Clear Linux or Mac System Logs | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| enterprise | T1070.003 | Clear Command History | Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files. |
| enterprise | T1070.008 | Clear Mailbox Data | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| enterprise | T1070.009 | Clear Persistence | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| enterprise | T1036 | Masquerading | Use file system access controls to protect folders such as C:\Windows\System32. |
| enterprise | T1036.003 | Rename System Utilities | Use file system access controls to protect folders such as C:\Windows\System32. |
| enterprise | T1036.005 | Match Legitimate Name or Location | Use file system access controls to protect folders such as C:\Windows\System32. |
| enterprise | T1556 | Modify Authentication Process | Restrict write access to the /Library/Security/SecurityAgentPlugins directory. |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.009 | Proc Memory | Restrict the permissions on sensitive files such as /proc/[pid]/maps or /proc/[pid]/mem. |
| enterprise | T1563 | Remote Service Session Hijacking | - |
| enterprise | T1563.001 | SSH Hijacking | Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.006 | Systemd Timers | Restrict read/write access to systemd .timer unit files to only select privileged users who have a legitimate need to manage system services. |
| enterprise | T1489 | Service Stop | Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.003 | SIP and Trust Provider Hijacking | Restrict storage and execution of SIP DLLs to protected directories, such as C:\Windows, rather than user directories. |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.002 | Control Panel | Restrict storage and execution of Control Panel items to protected directories, such as C:\Windows, rather than user directories. |
| enterprise | T1569 | System Services | Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level. |
| enterprise | T1569.002 | Service Execution | Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level. |
| enterprise | T1080 | Taint Shared Content | Protect shared folders by minimizing users who have write access. |
| enterprise | T1552 | Unsecured Credentials | Restrict file shares to specific directories with access only to necessary users. |
| enterprise | T1552.001 | Credentials In Files | Restrict file shares to specific directories with access only to necessary users. |
| enterprise | T1552.004 | Private Keys | Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the nonexportable flag during RSA key pair generation.5 |
References
-
Mathers, B. (2017, May 31). Windows Time Service Tools and Settings. Retrieved March 26, 2018. ↩
-
Sander, J. (2017, October 12). Attack Step 3: Persistence with NTFS Extended Attributes – File System Attacks. Retrieved March 21, 2018. ↩
-
Microsoft. (2018, May 30). Event Tracing. Retrieved September 6, 2018. ↩
-
Forensics Wiki. (2021, June 19). Windows XML Event Log (EVTX). Retrieved September 13, 2021. ↩
-
Cisco. (2023, February 17). Chapter: Deploying RSA Keys Within a PKI . Retrieved March 27, 2023. ↩
-
Antonio Piazza (4n7m4n). (2021, November 23). Defeating Malicious Launch Persistence. Retrieved April 19, 2022. ↩
-
Microsoft. (2021, October 28). Create symbolic links. Retrieved April 27, 2022. ↩