Linux and Mac File and Directory Permissions Modification

Information

• Name: Linux and Mac File and Directory Permissions Modification

• ID: T1222.002

• Tactics: TA0005

• Technique: T1222

Introduction

Linux and Mac File and Directory Permissions Modification (T1222.002) is a sub-technique within the MITRE ATT&CK framework, categorized under the broader technique of File and Directory Permissions Modification (T1222). Adversaries leverage this sub-technique to alter file system permissions on Linux and macOS operating systems, enabling unauthorized access, persistence, privilege escalation, or further lateral movement. Modifying permissions allows attackers to bypass security controls, hide their presence, and maintain long-term access to compromised systems.

Deep Dive Into Technique

Linux and macOS operating systems utilize POSIX-based file permission models, which define access rights through user, group, and others permissions, represented numerically or symbolically. Attackers exploit this permission structure by modifying permissions using built-in system commands or scripts to achieve their objectives. This can involve:

• Adjusting permissions using standard command-line utilities such as:

  • chmod: Changing file and directory permissions numerically (e.g., chmod 777) or symbolically (e.g., chmod +x).

  • chown: Changing ownership of files and directories to gain or retain control.

  • chgrp: Modifying group ownership to grant broader access.

  • setfacl: Adjusting Access Control Lists (ACLs) to grant granular permissions beyond traditional POSIX permissions.

• Altering permissions on sensitive files or directories to escalate privileges, such as setting SUID (Set User ID) or SGID (Set Group ID) bits:

  • Example command: chmod u+s /path/to/binary

  • This allows execution of binaries with elevated privileges.

• Modifying permissions to conceal malicious binaries or scripts within legitimate system directories, making them harder to detect.

• Changing permissions to allow persistent access, even after system reboots or security updates, by ensuring malicious scripts or binaries remain executable.

Attackers often incorporate these permission changes into automated scripts or malware payloads to streamline exploitation and persistence.

When this Technique is Usually Used

This sub-technique is typically employed in various attack scenarios and stages, including:

• Privilege Escalation: Attackers modify permissions of binaries or scripts to execute them with elevated privileges, facilitating further compromise.

• Persistence: Attackers ensure their scripts or malware remain executable and accessible across reboots or updates, maintaining long-term footholds.

• Defense Evasion: Adjusting permissions on malicious files and directories to hide them from standard user or administrative tools, reducing visibility and detection likelihood.

• Credential Access: Modifying permissions on sensitive files (e.g., SSH keys, password files, configuration files) to grant unauthorized access to credentials or sensitive information.

• Lateral Movement: Changing permissions on shared directories or files to enable movement into adjacent systems or services within the network.

This sub-technique is commonly observed in targeted attacks, advanced persistent threats (APTs), insider threats, and opportunistic exploitation scenarios.

How this Technique is Usually Detected

Detection methods for Linux and Mac File and Directory Permissions Modification include:

• File Integrity Monitoring (FIM): Tools such as Tripwire, AIDE, or OSSEC can detect unauthorized permission or ownership changes by continuously monitoring file system states and alerting administrators to deviations.

• Audit Logging and Monitoring: Leveraging built-in audit frameworks like Linux Auditd or macOS Unified Logging System to log permission changes (chmod, chown, setfacl) and monitor for suspicious activity.

• Endpoint Detection and Response (EDR): Advanced endpoint tools (e.g., CrowdStrike Falcon, Carbon Black, SentinelOne) detect anomalous permission changes and correlate them with other suspicious behaviors.

• Security Information and Event Management (SIEM): Centralized logging platforms (e.g., Splunk, ELK Stack, IBM QRadar) ingest logs related to file permission changes and alert security teams to potential threats.

• Behavioral Analysis: Identifying unusual patterns or frequency of permission changes, particularly when associated with sensitive system files or directories.

• Indicators of Compromise (IoCs): Specific IoCs include:

  • Unexpected SUID or SGID bits set on binaries.

  • Sudden permission changes on critical system files or directories (e.g., /etc/passwd, /etc/shadow, /usr/bin/sudo).

  • Unusual ACL modifications granting broad or unauthorized access.

  • Changes to permissions on user directories or SSH-related files (~/.ssh/authorized_keys, /etc/ssh/sshd_config).

Why it is Important to Detect This Technique

Detecting unauthorized file and directory permission modifications is critical due to the significant impacts these changes can have on the security posture of a system or network. Key reasons include:

• Privilege Escalation: Modified permissions can enable attackers to execute commands or binaries at higher privileges, potentially leading to full system compromise.

• Persistence: Attackers can maintain long-term access to compromised systems, complicating remediation efforts and increasing potential damage.

• Data Exfiltration and Confidentiality Risks: Unauthorized permission changes on sensitive files or directories can lead to data leakage, intellectual property theft, or exposure of confidential information.

• Operational Disruption: Attackers may modify permissions to disrupt legitimate operations, potentially causing service outages, degraded performance, or loss of availability.

• Defense Evasion: Permission changes often indicate attempts to bypass security controls or obscure malicious activity, making early detection critical to containment and mitigation.

• Regulatory and Compliance Implications: Unauthorized access or modification of sensitive data can lead to compliance violations, regulatory penalties, and reputational damage.

Early detection and rapid response to unauthorized permission modifications significantly reduce the potential impact and scope of cyber incidents.

Examples

Real-world examples of Linux and Mac File and Directory Permissions Modification include:

• Linux Privilege Escalation via SUID Binaries:

  • Attackers exploit misconfigured permissions by setting the SUID bit on standard binaries (e.g., /usr/bin/find, /usr/bin/vim) to gain root privileges.

  • Example command: chmod u+s /usr/bin/vim

  • Impact: Attackers gain full root-level access, enabling further exploitation and persistence.

• MacOS Malware (Shlayer Trojan):

  • Malicious installers modify permissions and ownership on system directories to persistently execute unauthorized binaries.

  • Example: Attackers use chmod and chown commands to ensure malware persistence in /Applications or /Library directories.

  • Impact: Persistent malware infections, adware distribution, and compromised user privacy.

• Operation WindShift (APT Group Targeting macOS):

  • Attackers altered permissions on macOS systems to hide malicious payloads and ensure persistent execution.

  • Techniques included modifying permissions on Launch Agents and Launch Daemons (~/Library/LaunchAgents, /Library/LaunchDaemons) to facilitate automatic execution at startup.

  • Impact: Persistent espionage activities, data exfiltration, and compromised system integrity.

• Cryptocurrency Mining Malware on Linux Servers:

  • Attackers modify permissions and ownership of mining scripts and binaries to ensure persistent execution and evade detection.

  • Example: Changing permissions to executable (chmod +x) on malicious scripts hidden in temporary or system directories.

  • Impact: Resource exhaustion, increased operational costs, degraded performance, and unauthorized cryptocurrency mining.

These examples illustrate the diverse ways attackers leverage file and directory permission modifications to achieve their objectives, highlighting the importance of proactive detection and response capabilities.