{"description": "Enterprise techniques mitigated by Restrict File and Directory Permissions, ATT&CK mitigation M1022 (v1.2)", "name": "Restrict File and Directory Permissions (M1022)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "comment": "The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1548.003", "comment": "The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1548.006", "comment": "When using an MDM, ensure the permissions granted are specific to the requirements of the binary. Full Disk Access should be restricted to only necessary binaries in alignment with policy. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "comment": "Restrict access to potentially sensitive files that deal with authentication and/or authorization.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1098.004", "comment": "Restrict access to the authorized_keys file.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.003", "comment": "Consider using Group Policy to configure and block additions/modifications to W32Time DLLs. (Citation: Microsoft W32Time May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.009", "comment": "Applying strict permissions to directories where shortcuts are stored, such as the startup folder, can prevent unauthorized modifications.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547.013", "comment": "Restrict write access to XDG autostart entries to only select privileged users.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037", "comment": "Restrict write access to logon scripts to specific administrators.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1037.002", "comment": "Restrict write access to logon scripts to specific administrators.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037.003", "comment": "Restrict write access to logon scripts to specific administrators.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037.004", "comment": "Limit privileges of user accounts so only authorized users can edit the `rc.common` file.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1037.005", "comment": "Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "comment": "Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1543.001", "comment": "Set group policies to restrict file permissions to the ~/launchagents folder.(Citation: piazza launch agent mitigation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543.002", "comment": "Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1530", "comment": "Use access control lists on storage systems and objects.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1565", "comment": "Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1565.001", "comment": "Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1565.003", "comment": "Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1686", "comment": "Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1686.003", "comment": "Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "comment": "Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685.001", "comment": "Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at C:\\Windows\\system32\\Winevt\\Logs(Citation: win_xml_evt_log), have the proper file permissions for limited, legitimate access and audit policies for detection. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685.005", "comment": "Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685.006", "comment": "Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.004", "comment": "Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546.013", "comment": "Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1048", "comment": "Use access control lists on cloud storage systems and objects. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "comment": "Applying more restrictive permissions to files and directories could prevent adversaries from modifying their access control lists. Additionally, ensure that user settings regarding local and remote symbolic links are properly set or disabled where unneeded.(Citation: create_sym_links)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1222.001", "comment": "Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.004", "comment": "Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. (Citation: InsiderThreat NTFS EA Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "comment": "Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1574.004", "comment": "Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.007", "comment": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.008", "comment": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.009", "comment": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.014", "comment": "Install .NET applications and related software in write-protected locations. Set directory access controls to prevent file writes to the search paths for .NET applications, both in the folders where applications are run from and the standard resources folders.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.003", "comment": "Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.008", "comment": "Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "Use file system access controls to protect folders such as C:\\\\Windows\\\\System32.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.003", "comment": "Use file system access controls to protect folders such as `C:\\Windows\\System32`. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "Use file system access controls to protect folders such as `C:\\Windows\\System32`.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556", "comment": "Restrict write access to the `/Library/Security/SecurityAgentPlugins` directory.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.009", "comment": "Restrict the permissions on sensitive files such as /proc/[pid]/maps or /proc/[pid]/mem. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1563", "showSubtechniques": true}, {"techniqueID": "T1563.001", "comment": "Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "comment": "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1053.006", "comment": "Restrict read/write access to systemd .timer unit files to only select privileged users who have a legitimate need to manage system services.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1489", "comment": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.003", "comment": "Restrict storage and execution of SIP DLLs to protected directories, such as C:\\\\Windows, rather than user directories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.002", "comment": "Restrict storage and execution of Control Panel items to protected directories, such as C:\\Windows, rather than user directories.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "comment": "Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1080", "comment": "Protect shared folders by minimizing users who have write access.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "comment": "Restrict file shares to specific directories with access only to necessary users.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "Restrict file shares to specific directories with access only to necessary users.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the `nonexportable` flag during RSA key pair generation.(Citation: cisco_deploy_rsa_keys)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Restrict File and Directory Permissions", "color": "#66b1ff"}]}