Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions.

Note - this analytic references file permissions, which are not currently in the CAR data model.

ATT&CK Detections

Technique Subtechnique(s) Tactic(s) Level of Coverage
File and Directory Permissions Modification Windows File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification Defense Evasion Moderate

D3FEND Techniques

ID Name
D3-SFA System File Analysis


Windows - Pseudocode (Pseudocode)

Windows environment logs can be noisy, so we take the following into consideration:

  • We need to exclude events generated by the local system (subject security ID “NT AUTHORITY\SYSTEM”) and focus on actual user events.
  • When a permission modification is made for a folder, a new event log is generated for each subfolder and file under that folder. It is advised to group logs based on handle ID or user ID.
  • The Windows security log (event ID 4670) also includes information about the process that modifies the file permissions. It is advised to focus on uncommon process names, and it is also uncommon for real-users to perform this task without a GUI.
log_name == "Security" AND
event_code == "4670" AND
object_type == "File" AND
subject_security_id != "NT AUTHORITY\SYSTEM"

Windows - Splunk (Splunk)

Splunk version of the above pseudocode.

index=__your_windows_security_log_index__ EventCode=4670 Object_Type="File" Security_ID!="NT AUTHORITY\\SYSTEM"

Linux - Pseudocode (Pseudocode)

This looks for any invocations of chmod. Note that this is likely to be more noisy than the Windows-specific implementation, although Linux does not generate logs for system triggered activities like in Windows. In addition, it may be necessary to whitelist cron jobs that regularly run and execute chmod.

processes = search Process:Create
chmod_processes = filter processes where command_line == "chmod *"
output chmod_processes

Logpoint, LogPoint native

LogPoint version of the above pseudocode for Windows.

norm_id=WindowsSysmon channel="Security" event_id=4670 object_type="File" -user_id="S-1-5-18"

Unit Tests

Test Case 1

For Windows - right click on any file and change its permissions under properties. Or, execute the following command: icacls "C:\<fileName>" /grant :F

Test Case 2

For Linux - execute the following command: chmod 777 "fileName"