EXPLORE

← Back to Explore

T1222.002

Linux and Mac File and Directory Permissions Modification

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which acti...

macOSLinux

17

Detections

3

Sources

3

Threat Actors

BY SOURCE

9elastic4sigma4splunk_escu

PROCEDURES (13)

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

General Monitoring2 detections

Auto-extracted: 2 detections for general monitoring

Privilege2 detections

Auto-extracted: 2 detections for privilege

Unusual2 detections

Auto-extracted: 2 detections for unusual

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Tamper1 detections

Auto-extracted: 1 detections for tamper

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Container1 detections

Auto-extracted: 1 detections for container

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Persist1 detections

Auto-extracted: 1 detections for persist

Container1 detections

Auto-extracted: 1 detections for container

THREAT ACTORS (3)

APT32 Rocke TeamTNT

DETECTIONS (17)

Access Control List Modification via setfacl

Chmod Suspicious Directory

Executable Bit Set for Potential Persistence Script

File Execution Permission Modification Detected via Defend for Containers

File made Immutable by Chattr

File or Folder Permissions Change

File Permission Modification in Writable Directory

Linux Auditd Change File Owner To Root

Linux Auditd File Permission Modification Via Chmod

Linux Auditd File Permissions Modification Via Chattr

Linux Change File Owner To Root

Potential Unauthorized Access via Wildcard Injection Detected

Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities

Remove Immutable File Attribute

Remove Immutable File Attribute - Auditd

Suspicious File Made Executable via Chmod Inside A Container

System Binary Path File Permission Modification