Description
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)
Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.
Platforms
Mitigations (2)
Privileged Account ManagementM1026
Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.
Restrict File and Directory PermissionsM1022
Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used the icacls command to modify access control to backup servers, providing them with ful... |
| G1046 | Storm-1811 | [Storm-1811](https://attack.mitre.org/groups/G1046) has used `cacls.exe` via batch script to modify file and directory permissions in victim environme... |
Associated Software (10)
| ID | Name | Type | Context |
|---|---|---|---|
| S0201 | JPIN | Malware | [JPIN](https://attack.mitre.org/software/S0201) can use the command-line utility cacls.exe to change file permissions.(Citation: Microsoft PLATINUM Ap... |
| S9002 | Diskpart | Tool | [Diskpart](https://attack.mitre.org/software/S9002) can be used to display, set, or clear attributes of a disk or volume.(Citation: Microsoft_diskpart... |
| S0570 | BitPaymer | Malware | [BitPaymer](https://attack.mitre.org/software/S0570) can use <code>icacls /reset</code> and <code>takeown /F</code> to reset a targeted executable's p... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can modify the binary ACL to prevent security tools from running.(Citation: ESET Grandoreiro Ap... |
| S0693 | CaddyWiper | Malware | [CaddyWiper](https://attack.mitre.org/software/S0693) can modify ACL entries to take ownership of files.(Citation: Cisco CaddyWiper March 2022) |
| S0446 | Ryuk | Malware | [Ryuk](https://attack.mitre.org/software/S0446) can launch <code>icacls <path> /grant Everyone:F /T /C /Q</code> to delete every access-based restrict... |
| S1068 | BlackCat | Malware | [BlackCat](https://attack.mitre.org/software/S1068) can use Windows commands such as `fsutil behavior set SymLinkEvaluation R2L:1` to redirect file sy... |
| S0366 | WannaCry | Malware | [WannaCry](https://attack.mitre.org/software/S0366) uses <code>attrib +h</code> and <code>icacls . /grant Everyone:F /T /C /Q</code> to make some of i... |
| S1180 | BlackByte Ransomware | Malware | [BlackByte Ransomware](https://attack.mitre.org/software/S1180) uses the `mountvol.exe` command to mount volume names and leverages the Microsoft Disc... |
| S0612 | WastedLocker | Malware | [WastedLocker](https://attack.mitre.org/software/S0612) has a command to take ownership of a file and reset the ACL permissions using the <code>takeow... |
References
- Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.
- Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.
- M. Satran, M. Jacobs. (2018, May 30). Access Control Lists. Retrieved February 4, 2020.
- Microsoft. (2018, May 30). DACLs and ACEs. Retrieved August 19, 2018.
Frequently Asked Questions
What is T1222.001 (Windows Permissions)?
T1222.001 is a MITRE ATT&CK technique named 'Windows Permissions'. It belongs to the Defense Impairment tactic(s). Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis...
How can T1222.001 be detected?
Detection of T1222.001 (Windows Permissions) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1222.001?
There are 2 documented mitigations for T1222.001. Key mitigations include: Privileged Account Management, Restrict File and Directory Permissions.
Which threat groups use T1222.001?
Known threat groups using T1222.001 include: Wizard Spider, Storm-1811.