Try it using Invoke-Atomic

File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification

Description from ATT&CK

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod (short for change mode).

Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Unix Shell Configuration Modification or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.(Citation: 20 macOS Common Tools and Techniques)

Atomic Tests

Atomic Test #1 - chmod - Change file or folder mode (numeric mode)

Changes a file or folder's permissions using chmod and a specified numeric mode.

Supported Platforms: linux,macos

auto_generated_guid: 34ca1464-de9d-40c6-8c77-690adf36a135

Inputs:

Name Description Type Default Value
numeric_mode Specified numeric mode value integer 755
file_or_folder Path of the file or folder path /tmp/AtomicRedTeam/atomics/T1222.002

Attack Commands: Run with sh!

1
chmod #{numeric_mode} #{file_or_folder}

Atomic Test #2 - chmod - Change file or folder mode (symbolic mode)

Changes a file or folder's permissions using chmod and a specified symbolic mode.

Supported Platforms: linux,macos

auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3

Inputs:

Name Description Type Default Value
symbolic_mode Specified symbolic mode value string a+w
file_or_folder Path of the file or folder path /tmp/AtomicRedTeam/atomics/T1222.002

Attack Commands: Run with sh!

1
chmod #{symbolic_mode} #{file_or_folder}

Atomic Test #3 - chmod - Change file or folder mode (numeric mode) recursively

Changes a file or folder's permissions recursively using chmod and a specified numeric mode.

Supported Platforms: linux,macos

auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4

Inputs:

Name Description Type Default Value
numeric_mode Specified numeric mode value integer 755
file_or_folder Path of the file or folder path /tmp/AtomicRedTeam/atomics/T1222.002

Attack Commands: Run with sh!

1
chmod -R #{numeric_mode} #{file_or_folder}

Atomic Test #4 - chmod - Change file or folder mode (symbolic mode) recursively

Changes a file or folder's permissions recursively using chmod and a specified symbolic mode.

Supported Platforms: linux,macos

auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f

Inputs:

Name Description Type Default Value
symbolic_mode Specified symbolic mode value string a+w
file_or_folder Path of the file or folder path /tmp/AtomicRedTeam/atomics/T1222.002

Attack Commands: Run with bash!

1
chmod -R #{symbolic_mode} #{file_or_folder}

Atomic Test #5 - chown - Change file or folder ownership and group

Changes a file or folder's ownership and group information using chown.

Supported Platforms: macos,linux

auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0

Inputs:

Name Description Type Default Value
owner Username of desired owner string root
file_or_folder Path of the file or folder path /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml
group Group name of desired group string root

Attack Commands: Run with bash!

1
chown #{owner}:#{group} #{file_or_folder}

Atomic Test #6 - chown - Change file or folder ownership and group recursively

Changes a file or folder's ownership and group information recursively using chown.

Supported Platforms: macos,linux

auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848

Inputs:

Name Description Type Default Value
owner Username of desired owner string root
file_or_folder Path of the file or folder path /tmp/AtomicRedTeam/atomics/T1222.002
group Group name of desired group string root

Attack Commands: Run with bash!

1
chown -R #{owner}:#{group} #{file_or_folder}

Atomic Test #7 - chown - Change file or folder mode ownership only

Changes a file or folder's ownership only using chown.

Supported Platforms: linux,macos

auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99

Inputs:

Name Description Type Default Value
owner Username of desired owner string root
file_or_folder Path of the file or folder path /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml

Attack Commands: Run with sh!

1
chown #{owner} #{file_or_folder}

Atomic Test #8 - chown - Change file or folder ownership recursively

Changes a file or folder's ownership only recursively using chown.

Supported Platforms: macos,linux

auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2

Inputs:

Name Description Type Default Value
owner Username of desired owner string root
file_or_folder Path of the file or folder path /tmp/AtomicRedTeam/atomics/T1222.002

Attack Commands: Run with bash!

1
chown -R #{owner} #{file_or_folder}

Atomic Test #9 - chattr - Remove immutable file attribute

Remove's a file's

1
immutable
attribute using
1
chattr
. This technique was used by the threat actor Rocke during the compromise of Linux web servers.

Supported Platforms: macos,linux

auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f

Inputs:

Name Description Type Default Value
file_to_modify Path of the file path /var/spool/cron/root

Attack Commands: Run with sh!

1
chattr -i #{file_to_modify}

Atomic Test #10 - chflags - Remove immutable file attribute

Remove's a file's

1
immutable
attribute using
1
chflags
. This technique was used by the threat actor Rocke during the compromise of Linux web servers.

Supported Platforms: linux

auto_generated_guid: 60eee3ea-2ebd-453b-a666-c52ce08d2709

Inputs:

Name Description Type Default Value
file_to_modify Path of the file path /tmp/T1222.002.txt

Attack Commands: Run with sh!

1
2
3
touch #{file_to_modify}
chflags simmutable #{file_to_modify}
chflags nosimmutable #{file_to_modify}

Atomic Test #11 - Chmod through c script

chmods a file using a c script

Supported Platforms: macos,linux

auto_generated_guid: 973631cf-6680-4ffa-a053-045e1b6b67ab

Inputs:

Name Description Type Default Value
source_file Path of c source file path PathToAtomicsFolder/T1222.002/src/T1222.002.c
compiled_file Path of compiled file path /tmp/T1222002

Attack Commands: Run with sh!

1
#{compiled_file} /tmp/ T1222002

Dependencies: Run with sh!

Description: Compile the script from (#{source_file}). Destination is #{compiled_file}

Check Prereq Commands:

1
gcc #{source_file} -o #{compiled_file}

Get Prereq Commands:

1
gcc #{source_file} -o #{compiled_file}

Atomic Test #12 - Chmod through c script (freebsd)

chmods a file using a c script

Supported Platforms: linux

auto_generated_guid: da40b5fe-3098-4b3b-a410-ff177e49ee2e

Inputs:

Name Description Type Default Value
source_file Path of c source file path PathToAtomicsFolder/T1222.002/src/T1222.002.c
compiled_file Path of compiled file path /tmp/T1222002

Attack Commands: Run with sh!

1
#{compiled_file} /tmp/ T1222002

Dependencies: Run with sh!

Description: Compile the script from (#{source_file}). Destination is #{compiled_file}

Check Prereq Commands:

1
cc #{source_file} -o #{compiled_file}

Get Prereq Commands:

1
cc #{source_file} -o #{compiled_file}

Atomic Test #13 - Chown through c script

chowns a file to root using a c script

Supported Platforms: macos,linux

auto_generated_guid: 18592ba1-5f88-4e3c-abc8-ab1c6042e389

Inputs:

Name Description Type Default Value
source_file Path of c source file path PathToAtomicsFolder/T1222.002/src/chown.c
compiled_file Path of compiled file path /tmp/T1222002own

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
sudo #{compiled_file} #{source_file}

Dependencies: Run with sh!

Description: Compile the script from (#{source_file}). Destination is #{compiled_file}

Check Prereq Commands:

1
gcc #{source_file} -o #{compiled_file}

Get Prereq Commands:

1
gcc #{source_file} -o #{compiled_file}

Atomic Test #14 - Chown through c script (freebsd)

chowns a file to root using a c script

Supported Platforms: linux

auto_generated_guid: eb577a19-b730-4918-9b03-c5edcf51dc4e

Inputs:

Name Description Type Default Value
source_file Path of c source file path PathToAtomicsFolder/T1222.002/src/chown.c
compiled_file Path of compiled file path /tmp/T1222002own

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

1
#{compiled_file} #{source_file}

Dependencies: Run with sh!

Description: Compile the script from (#{source_file}). Destination is #{compiled_file}

Check Prereq Commands:

1
cc #{source_file} -o #{compiled_file}

Get Prereq Commands:

1
cc #{source_file} -o #{compiled_file}

source