Access Permission Modification

Question

Access Permission Modification

mericdegir opened this issue 5 years ago · comments

Access Permission Modification

Adversaries sometimes modify object access rights on operating systems level. There might be different motivations behind this action. Sometimes they do not want some files/ objects on systems to be persistent and provides admin only rights and sometimes they want the files to be accessible with lower levels of permissions.

For windows environment logs may seem too noisy, analysts shall take following into consideration;
-We need to exclude events generated by local system(subject security ID "NT AUTHORITY\SYSTEM") and focus on actual users
-When a permission modification is made for a folder a new event log is generated for each subfolder and file under that folder. It is advised to group logs based on handle ID or user id.
-Windows log (event ID 4670) also includes the process that modifies permissions. It is advised to focus on uncommon process names. It is uncommon for real-users to perform this task without GUI.

ATT&CK Coverage

Technique	Level of Coverage
File Permissions Modification(https://attack.mitre.org/techniques/T1222/)	Moderate

Analytic Code

For Windows;
EventID: 4670 and
Object Type: File and
Subject Security ID not "NT AUTHORITY\SYSTEM"

For Linux/Mac;
terminal commands with chmod in it.

Test Cases

for windows;
rightclick any file and change permissions under properties.
or execute following command

icacls "C:<fileName>" /grant :F

for linux/mac;

chmod 777 "fileName"

Data Model Mappings

Object	Action	Field
file	modify	permissions

Developer Certificate of Origin

"DCO signed-off-by: Meric Degirmenci mericdegir@email.com"*

Ivan Kirillov · Answer 1 · Mon Jul 01 2019 23:40:57 GMT+0800 (China Standard Time)

@mericdegir thanks for the submission! As far as the analytic type that this represents, I take it that it would likely be for Situational Awareness? Also, I'm assuming that the linux analytic will be more noisy, since it looks for any invocation of chmod?

mericdegir · Answer 2 · Tue Jul 02 2019 00:04:06 GMT+0800 (China Standard Time)

Situational Awareness sounds like a good fit.
You are correct about Linux part. It will be more noisy. However, Linux will not generate logs for system triggered activities like windows example. Chmod will be called either by a person or script which will give us a similar set. If there are cron jobs regularly doing this, they shall be whitelisted.

mericdegir · Answer 3 · Tue Jul 02 2019 00:54:29 GMT+0800 (China Standard Time)

One more thing; permissions was not in datamodel

Ivan Kirillov · Answer 4 · Mon Jul 08 2019 22:59:50 GMT+0800 (China Standard Time)

@mericdegir I've added this in a pull request here: #25. Please review if you get a chance. Thanks again for the submission!

mericdegir · Answer 5 · Mon Jul 08 2019 23:18:00 GMT+0800 (China Standard Time)

@mericdegir I've added this in a pull request here: #25. Please review if you get a chance. Thanks again for the submission!

Just made a minor wording change. thanks.

Ivan Kirillov · Answer 6 · Mon Jul 08 2019 23:21:38 GMT+0800 (China Standard Time)

Thanks - I've updated the description based on your suggestion.