EXPLORE
Sign In
← Back to Explore
T1222

File and Directory Permissions Modification

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which acti...

ESXiLinuxmacOSWindows
22
Detections
3
Sources
0
Threat Actors

BY SOURCE

14elastic6splunk_escu2sigma

PROCEDURES (15)

General Monitoring4 detections

Auto-extracted: 4 detections for general monitoring

Powershell2 detections

Auto-extracted: 2 detections for powershell

Azure2 detections

Auto-extracted: 2 detections for azure

Persist2 detections

Auto-extracted: 2 detections for persist

Persist2 detections

Auto-extracted: 2 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Container1 detections

Auto-extracted: 1 detections for container

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Container1 detections

Auto-extracted: 1 detections for container

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Cloud Monitoring1 detections

Auto-extracted: 1 detections for cloud monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

DETECTIONS (22)

Access Control List Modification via setfacl
elasticlow
Adding Hidden File Attribute via Attrib
elasticlow
Azure Blob Storage Container Access Level Modified
elasticlow
Azure Blob Storage Permissions Modified
elasticmedium
Excessive Usage Of Cacls App
splunk_escu
Executable Bit Set for Potential Persistence Script
elasticmedium
File Execution Permission Modification Detected via Defend for Containers
elasticlow
File made Immutable by Chattr
elasticmedium
File Permission Modification in Writable Directory
elastichigh
GCP Storage Bucket Permissions Modification
elasticmedium
Icacls Deny Command
splunk_escu
ICACLS Grant Command
splunk_escu
Modify ACL permission To Files Or Folder
splunk_escu
Permission Modification using Takeown App
splunk_escu
Potential Unauthorized Access via Wildcard Injection Detected
elasticmedium
PowerShell Script Change Permission Via Set-Acl - PsScript
sigmalow
PowerShell Set-Acl On Windows Folder - PsScript
sigmahigh
Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
elasticmedium
Suspicious File Made Executable via Chmod Inside A Container
elasticlow
System Binary Path File Permission Modification
elasticlow
System File Ownership Change
elasticmedium
Windows Common Abused Cmd Shell Risk Behavior
splunk_escu