T1222.001.md

T1222.001 - Windows File and Directory Permissions Modification

Description from ATT&CK

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)

Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.

Atomic Tests

• Atomic Test #1 - Take ownership using takeown utility

• Atomic Test #2 - cacls - Grant permission to specified user or group recursively

• Atomic Test #3 - attrib - Remove read-only attribute

• Atomic Test #4 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style

Atomic Test #1 - Take ownership using takeown utility

Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will be displayed for the folder and each file inside of it.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
file_folder_to_own	Path of the file or folder for takeown to take ownership.	path	%temp%\T1222.001_takeown_folder

Attack Commands: Run with command_prompt!

takeown.exe /f #{file_folder_to_own} /r

Dependencies: Run with command_prompt!

Description: Test requrires a file to take ownership of to be located at (#{file_folder_to_own})

Check Prereq Commands:

IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 ) 

Get Prereq Commands:

mkdir #{file_folder_to_own}
echo T1222.001_takeown1 >> #{file_folder_to_own}\T1222.001_takeown1.txt
echo T1222.001_takeown2 >> #{file_folder_to_own}\T1222.001_takeown2.txt

Atomic Test #2 - cacls - Grant permission to specified user or group recursively

Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied" is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files" will be displayed.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder to change permissions.	path	%temp%\T1222.001_cacls
user_or_group	User or group to allow full control	string	Everyone

Attack Commands: Run with command_prompt!

icacls.exe #{file_or_folder} /grant #{user_or_group}:F

Dependencies: Run with command_prompt!

Description: Test requrires a file to modify to be located at (#{file_or_folder})

Check Prereq Commands:

IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) 

Get Prereq Commands:

mkdir #{file_or_folder}
echo T1222.001_cacls1 >> #{file_or_folder}\T1222.001_cacls1.txt
echo T1222.001_cacls2 >> #{file_or_folder}\T1222.001_cacls2.txt

Atomic Test #3 - attrib - Remove read-only attribute

Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed. Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
file_or_folder	Path of the file or folder remove attribute.	path	%temp%\T1222.001_attrib

Attack Commands: Run with command_prompt!

attrib.exe -r #{file_or_folder}\*.* /s

Dependencies: Run with command_prompt!

Description: Test requrires a file to modify to be located at (#{file_or_folder})

Check Prereq Commands:

IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) 

Get Prereq Commands:

mkdir #{file_or_folder}
echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt
echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
attrib.exe +r #{file_or_folder}\T1222.001_attrib1.txt
attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt

Atomic Test #4 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style

Invokes the command line used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone.

Supported Platforms: Windows

Attack Commands: Run with powershell!

icacls "C:\*" /grant Everyone:F /T /C /Q