CAR-2019-07-001: Access Permission Modification
Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and therefore provide admin only rights; also, they may want files to be accessible with lower levels of permissions.
Note - this analytic references file permissions, which are not currently in the CAR data model.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|File and Directory Permissions Modification||Windows File and Directory Permissions Modification, Linux and Mac File and Directory Permissions Modification||Defense Evasion||Moderate|
|D3-SFA||System File Analysis|
Windows - Pseudocode (Pseudocode)
Windows environment logs can be noisy, so we take the following into consideration:
- We need to exclude events generated by the local system (subject security ID “NT AUTHORITY\SYSTEM”) and focus on actual user events.
- When a permission modification is made for a folder, a new event log is generated for each subfolder and file under that folder. It is advised to group logs based on handle ID or user ID.
- The Windows security log (event ID 4670) also includes information about the process that modifies the file permissions. It is advised to focus on uncommon process names, and it is also uncommon for real-users to perform this task without a GUI.
log_name == "Security" AND event_code == "4670" AND object_type == "File" AND subject_security_id != "NT AUTHORITY\SYSTEM"
Windows - Splunk (Splunk)
Splunk version of the above pseudocode.
index=__your_windows_security_log_index__ EventCode=4670 Object_Type="File" Security_ID!="NT AUTHORITY\\SYSTEM"
Linux - Pseudocode (Pseudocode)
This looks for any invocations of chmod. Note that this is likely to be more noisy than the Windows-specific implementation, although Linux does not generate logs for system triggered activities like in Windows. In addition, it may be necessary to whitelist cron jobs that regularly run and execute
processes = search Process:Create chmod_processes = filter processes where command_line == "chmod *" output chmod_processes
Logpoint, LogPoint native
LogPoint version of the above pseudocode for Windows.
norm_id=WindowsSysmon channel="Security" event_id=4670 object_type="File" -user_id="S-1-5-18"
Test Case 1
For Windows - right click on any file and change its permissions under properties. Or, execute the following command:
icacls "C:\<fileName>" /grant :F
Test Case 2
For Linux - execute the following command:
chmod 777 "fileName"