Windows File and Directory Permissions Modification

Information

• Name: Windows File and Directory Permissions Modification

• ID: T1222.001

• Tactics: TA0005

• Technique: T1222

Introduction

Windows File and Directory Permissions Modification (T1222.001) is a sub-technique within the MITRE ATT&CK framework under the parent technique "File and Directory Permissions Modification" (T1222). Attackers utilize this method to alter permissions on files and directories in Windows environments, enabling unauthorized access, persistence, privilege escalation, or disruption of legitimate user access. By modifying access control lists (ACLs), adversaries can grant themselves or other compromised accounts excessive permissions, restrict legitimate user access, or conceal malicious activities.

Deep Dive Into Technique

Windows operating systems rely on Access Control Lists (ACLs) to define permissions for files and folders. ACLs specify which users or groups have permissions to read, write, modify, or execute files and directories. Attackers target these ACLs using built-in Windows commands, scripting languages, or third-party tools to alter permissions maliciously.

Common tools and methods attackers use include:

• icacls.exe: A built-in Windows command-line utility that allows modification of ACLs. Attackers use commands such as:

  Copy

  icacls "C:\SensitiveFolder" /grant attackeruser:F

  This grants full control permissions to the attacker account.

• cacls.exe (deprecated but still usable): Older Windows command-line tool used similarly to icacls, though less common in modern environments:

  Copy

  cacls "C:\SensitiveFolder" /E /G attackeruser:F

• PowerShell scripts: Attackers frequently leverage PowerShell to automate ACL modifications:

  Copy

  $acl = Get-Acl "C:\SensitiveFolder"
  $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("attackeruser","FullControl","Allow")
  $acl.AddAccessRule($rule)
  Set-Acl "C:\SensitiveFolder" $acl

• Third-party exploitation frameworks: Attackers may employ tools like Metasploit or Cobalt Strike to automate the modification of permissions remotely.

Mechanisms attackers leverage include:

• Granting themselves or compromised accounts elevated privileges to sensitive files/directories.

• Denying legitimate users access to critical files, causing operational disruption.

• Concealing malicious payloads by restricting visibility or access to certain files/directories.

When this Technique is Usually Used

Attack scenarios and stages where Windows File and Directory Permissions Modification appear include:

• Privilege Escalation: Attackers modify permissions on system-critical files or directories to escalate privileges from standard user to administrator or SYSTEM level.

• Persistence: Attackers alter permissions to ensure persistent access, preventing administrators from easily removing malicious files or scripts.

• Defense Evasion: Restricting visibility or access to files/directories containing malicious payloads, effectively hiding malware from security teams and antivirus solutions.

• Impact (Denial of Service): Attackers may deny legitimate users access to critical resources, causing disruption of normal business operations.

• Credential Access: Modifying permissions on sensitive files containing credentials or authentication tokens, enabling easy access to sensitive data.

How this Technique is Usually Detected

Detection methods, tools, and indicators of compromise (IoCs) for identifying this technique include:

• Monitoring Windows Security Event Logs:

  • Event ID 4670: Indicates permissions on an object were changed.

  • Event ID 4663: Indicates an attempt to access an object, useful for identifying suspicious access patterns.

  • Event ID 4656: Indicates a handle to an object was requested.

• File Integrity Monitoring (FIM) Tools:

  • Detect unauthorized changes to ACLs on critical files/directories.

  • Tools like OSSEC, Tripwire, and SolarWinds Security Event Manager can monitor and alert on ACL changes.

• Endpoint Detection and Response (EDR) Solutions:

  • Detect and alert on suspicious execution of tools like icacls.exe, cacls.exe, and suspicious PowerShell scripts modifying ACLs.

  • Identify unusual processes or scripts accessing sensitive directories.

• Behavioral Analytics and SIEM Correlation:

  • Correlate ACL modification events with other suspicious behaviors (e.g., privilege escalation attempts, unusual logins, lateral movement).

  • Tools like Splunk, ELK Stack, Microsoft Sentinel, and IBM QRadar can be configured to alert on suspicious ACL changes.

Indicators of Compromise (IoCs):

• Unusual or unexpected changes in ACLs on sensitive files/directories.

• Execution of ACL modification utilities (icacls.exe, cacls.exe) from unusual locations or by unexpected users.

• Suspicious PowerShell or command-line activities modifying permissions.

Why it is Important to Detect This Technique

Early detection of Windows File and Directory Permissions Modification is critical due to its severe potential impacts:

• Privilege Escalation: Attackers gaining administrative or SYSTEM-level privileges can lead to complete compromise of the system and network.

• Persistence: Attackers maintaining persistent access can lead to long-term compromise, data theft, and prolonged malicious activities.

• Defense Evasion: Modifying ACLs can enable attackers to hide malware from antivirus and security monitoring tools, complicating incident response and remediation.

• Operational Disruption: Denying legitimate user access to critical files can disrupt business operations, leading to downtime and financial losses.

• Data Theft and Leakage: Attackers gaining access to sensitive files can result in significant data breaches, compliance violations, and reputational damage.

Detecting this technique early enables security teams to:

• Quickly respond and remediate unauthorized access attempts.

• Limit the scope and impact of potential breaches.

• Maintain operational continuity and protect sensitive data.

Examples

Real-world examples demonstrating Windows File and Directory Permissions Modification:

• FIN7 Group:

  • Attackers leveraged PowerShell scripts to modify ACLs on compromised hosts, granting themselves persistent administrative access.

  • Impact included theft of sensitive financial information and prolonged unauthorized access.

• APT29 (Cozy Bear):

  • Attackers used icacls.exe to grant permissions to malicious payloads, ensuring persistence and evading detection.

  • Resulted in espionage campaigns targeting government and private-sector entities.

• Ryuk Ransomware:

  • Attackers modified ACLs using PowerShell and icacls to deny legitimate users access to critical files, facilitating data encryption and operational disruption.

  • Caused significant financial and operational damage across multiple industries.

• Conti Ransomware:

  • Utilized scripts to modify permissions, granting full control to attacker-controlled accounts and denying access to legitimate users.

  • Enabled rapid propagation and encryption of critical data, causing extensive disruption and financial loss.

These examples underline the importance of monitoring ACL modifications and highlight how attackers leverage this technique across various attack stages and scenarios.