diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index d57deb74..09c1e50b 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -142,21 +142,17 @@ defense-evasion,T1107,File Deletion,8,Delete Filesystem - Linux
defense-evasion,T1107,File Deletion,9,Delete-PrefetchFile
defense-evasion,T1107,File Deletion,10,Delete TeamViewer Log Files
defense-evasion,T1222,File and Directory Permissions Modification,1,Take ownership using takeown utility
-defense-evasion,T1222,File and Directory Permissions Modification,2,Take ownership recursively using takeown utility
-defense-evasion,T1222,File and Directory Permissions Modification,3,cacls - Grant permission to specified user or group
-defense-evasion,T1222,File and Directory Permissions Modification,4,cacls - Grant permission to specified user or group recursively
-defense-evasion,T1222,File and Directory Permissions Modification,5,icacls - Grant permission to specified user or group
-defense-evasion,T1222,File and Directory Permissions Modification,6,icacls - Grant permission to specified user or group recursively
-defense-evasion,T1222,File and Directory Permissions Modification,7,attrib - Remove read-only attribute
-defense-evasion,T1222,File and Directory Permissions Modification,8,chmod - Change file or folder mode (numeric mode)
-defense-evasion,T1222,File and Directory Permissions Modification,9,chmod - Change file or folder mode (symbolic mode)
-defense-evasion,T1222,File and Directory Permissions Modification,10,chmod - Change file or folder mode (numeric mode) recursively
-defense-evasion,T1222,File and Directory Permissions Modification,11,chmod - Change file or folder mode (symbolic mode) recursively
-defense-evasion,T1222,File and Directory Permissions Modification,12,chown - Change file or folder ownership and group
-defense-evasion,T1222,File and Directory Permissions Modification,13,chown - Change file or folder ownership and group recursively
-defense-evasion,T1222,File and Directory Permissions Modification,14,chown - Change file or folder mode ownership only
-defense-evasion,T1222,File and Directory Permissions Modification,15,chown - Change file or folder ownership recursively
-defense-evasion,T1222,File and Directory Permissions Modification,16,chattr - Remove immutable file attribute
+defense-evasion,T1222,File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively
+defense-evasion,T1222,File and Directory Permissions Modification,3,attrib - Remove read-only attribute
+defense-evasion,T1222,File and Directory Permissions Modification,4,chmod - Change file or folder mode (numeric mode)
+defense-evasion,T1222,File and Directory Permissions Modification,5,chmod - Change file or folder mode (symbolic mode)
+defense-evasion,T1222,File and Directory Permissions Modification,6,chmod - Change file or folder mode (numeric mode) recursively
+defense-evasion,T1222,File and Directory Permissions Modification,7,chmod - Change file or folder mode (symbolic mode) recursively
+defense-evasion,T1222,File and Directory Permissions Modification,8,chown - Change file or folder ownership and group
+defense-evasion,T1222,File and Directory Permissions Modification,9,chown - Change file or folder ownership and group recursively
+defense-evasion,T1222,File and Directory Permissions Modification,10,chown - Change file or folder mode ownership only
+defense-evasion,T1222,File and Directory Permissions Modification,11,chown - Change file or folder ownership recursively
+defense-evasion,T1222,File and Directory Permissions Modification,12,chattr - Remove immutable file attribute
defense-evasion,T1144,Gatekeeper Bypass,1,Gatekeeper Bypass
defense-evasion,T1148,HISTCONTROL,1,Disable history collection
defense-evasion,T1148,HISTCONTROL,2,Mac HISTCONTROL
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 04ed94a6..dc5b1e69 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -76,15 +76,15 @@ defense-evasion,T1107,File Deletion,1,Delete a single file - Linux/macOS
defense-evasion,T1107,File Deletion,2,Delete an entire folder - Linux/macOS
defense-evasion,T1107,File Deletion,3,Overwrite and delete a file with shred
defense-evasion,T1107,File Deletion,8,Delete Filesystem - Linux
-defense-evasion,T1222,File and Directory Permissions Modification,8,chmod - Change file or folder mode (numeric mode)
-defense-evasion,T1222,File and Directory Permissions Modification,9,chmod - Change file or folder mode (symbolic mode)
-defense-evasion,T1222,File and Directory Permissions Modification,10,chmod - Change file or folder mode (numeric mode) recursively
-defense-evasion,T1222,File and Directory Permissions Modification,11,chmod - Change file or folder mode (symbolic mode) recursively
-defense-evasion,T1222,File and Directory Permissions Modification,12,chown - Change file or folder ownership and group
-defense-evasion,T1222,File and Directory Permissions Modification,13,chown - Change file or folder ownership and group recursively
-defense-evasion,T1222,File and Directory Permissions Modification,14,chown - Change file or folder mode ownership only
-defense-evasion,T1222,File and Directory Permissions Modification,15,chown - Change file or folder ownership recursively
-defense-evasion,T1222,File and Directory Permissions Modification,16,chattr - Remove immutable file attribute
+defense-evasion,T1222,File and Directory Permissions Modification,4,chmod - Change file or folder mode (numeric mode)
+defense-evasion,T1222,File and Directory Permissions Modification,5,chmod - Change file or folder mode (symbolic mode)
+defense-evasion,T1222,File and Directory Permissions Modification,6,chmod - Change file or folder mode (numeric mode) recursively
+defense-evasion,T1222,File and Directory Permissions Modification,7,chmod - Change file or folder mode (symbolic mode) recursively
+defense-evasion,T1222,File and Directory Permissions Modification,8,chown - Change file or folder ownership and group
+defense-evasion,T1222,File and Directory Permissions Modification,9,chown - Change file or folder ownership and group recursively
+defense-evasion,T1222,File and Directory Permissions Modification,10,chown - Change file or folder mode ownership only
+defense-evasion,T1222,File and Directory Permissions Modification,11,chown - Change file or folder ownership recursively
+defense-evasion,T1222,File and Directory Permissions Modification,12,chattr - Remove immutable file attribute
defense-evasion,T1148,HISTCONTROL,1,Disable history collection
defense-evasion,T1148,HISTCONTROL,2,Mac HISTCONTROL
defense-evasion,T1158,Hidden Files and Directories,1,Create a hidden file in a hidden directory
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index 687fed0b..bfece318 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -109,15 +109,15 @@ defense-evasion,T1089,Disabling Security Tools,6,Disable LittleSnitch
defense-evasion,T1089,Disabling Security Tools,7,Disable OpenDNS Umbrella
defense-evasion,T1107,File Deletion,1,Delete a single file - Linux/macOS
defense-evasion,T1107,File Deletion,2,Delete an entire folder - Linux/macOS
-defense-evasion,T1222,File and Directory Permissions Modification,8,chmod - Change file or folder mode (numeric mode)
-defense-evasion,T1222,File and Directory Permissions Modification,9,chmod - Change file or folder mode (symbolic mode)
-defense-evasion,T1222,File and Directory Permissions Modification,10,chmod - Change file or folder mode (numeric mode) recursively
-defense-evasion,T1222,File and Directory Permissions Modification,11,chmod - Change file or folder mode (symbolic mode) recursively
-defense-evasion,T1222,File and Directory Permissions Modification,12,chown - Change file or folder ownership and group
-defense-evasion,T1222,File and Directory Permissions Modification,13,chown - Change file or folder ownership and group recursively
-defense-evasion,T1222,File and Directory Permissions Modification,14,chown - Change file or folder mode ownership only
-defense-evasion,T1222,File and Directory Permissions Modification,15,chown - Change file or folder ownership recursively
-defense-evasion,T1222,File and Directory Permissions Modification,16,chattr - Remove immutable file attribute
+defense-evasion,T1222,File and Directory Permissions Modification,4,chmod - Change file or folder mode (numeric mode)
+defense-evasion,T1222,File and Directory Permissions Modification,5,chmod - Change file or folder mode (symbolic mode)
+defense-evasion,T1222,File and Directory Permissions Modification,6,chmod - Change file or folder mode (numeric mode) recursively
+defense-evasion,T1222,File and Directory Permissions Modification,7,chmod - Change file or folder mode (symbolic mode) recursively
+defense-evasion,T1222,File and Directory Permissions Modification,8,chown - Change file or folder ownership and group
+defense-evasion,T1222,File and Directory Permissions Modification,9,chown - Change file or folder ownership and group recursively
+defense-evasion,T1222,File and Directory Permissions Modification,10,chown - Change file or folder mode ownership only
+defense-evasion,T1222,File and Directory Permissions Modification,11,chown - Change file or folder ownership recursively
+defense-evasion,T1222,File and Directory Permissions Modification,12,chattr - Remove immutable file attribute
defense-evasion,T1144,Gatekeeper Bypass,1,Gatekeeper Bypass
defense-evasion,T1148,HISTCONTROL,1,Disable history collection
defense-evasion,T1148,HISTCONTROL,2,Mac HISTCONTROL
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 6329bf54..4696e2de 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -40,12 +40,8 @@ defense-evasion,T1107,File Deletion,7,Delete an entire folder - Windows PowerShe
defense-evasion,T1107,File Deletion,9,Delete-PrefetchFile
defense-evasion,T1107,File Deletion,10,Delete TeamViewer Log Files
defense-evasion,T1222,File and Directory Permissions Modification,1,Take ownership using takeown utility
-defense-evasion,T1222,File and Directory Permissions Modification,2,Take ownership recursively using takeown utility
-defense-evasion,T1222,File and Directory Permissions Modification,3,cacls - Grant permission to specified user or group
-defense-evasion,T1222,File and Directory Permissions Modification,4,cacls - Grant permission to specified user or group recursively
-defense-evasion,T1222,File and Directory Permissions Modification,5,icacls - Grant permission to specified user or group
-defense-evasion,T1222,File and Directory Permissions Modification,6,icacls - Grant permission to specified user or group recursively
-defense-evasion,T1222,File and Directory Permissions Modification,7,attrib - Remove read-only attribute
+defense-evasion,T1222,File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively
+defense-evasion,T1222,File and Directory Permissions Modification,3,attrib - Remove read-only attribute
defense-evasion,T1158,Hidden Files and Directories,3,Create Windows System File with Attrib
defense-evasion,T1158,Hidden Files and Directories,4,Create Windows Hidden File with Attrib
defense-evasion,T1158,Hidden Files and Directories,8,Create ADS command prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 19542d47..80aa708a 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -233,21 +233,17 @@
- T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222 File and Directory Permissions Modification](../../T1222/T1222.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- - Atomic Test #2: Take ownership recursively using takeown utility [windows]
- - Atomic Test #3: cacls - Grant permission to specified user or group [windows]
- - Atomic Test #4: cacls - Grant permission to specified user or group recursively [windows]
- - Atomic Test #5: icacls - Grant permission to specified user or group [windows]
- - Atomic Test #6: icacls - Grant permission to specified user or group recursively [windows]
- - Atomic Test #7: attrib - Remove read-only attribute [windows]
- - Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
- - Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- - Atomic Test #10: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- - Atomic Test #11: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- - Atomic Test #12: chown - Change file or folder ownership and group [macos, linux]
- - Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
- - Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
- - Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
- - Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
+ - Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
+ - Atomic Test #3: attrib - Remove read-only attribute [windows]
+ - Atomic Test #4: chmod - Change file or folder mode (numeric mode) [macos, linux]
+ - Atomic Test #5: chmod - Change file or folder mode (symbolic mode) [macos, linux]
+ - Atomic Test #6: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
+ - Atomic Test #7: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
+ - Atomic Test #8: chown - Change file or folder ownership and group [macos, linux]
+ - Atomic Test #9: chown - Change file or folder ownership and group recursively [macos, linux]
+ - Atomic Test #10: chown - Change file or folder mode ownership only [macos, linux]
+ - Atomic Test #11: chown - Change file or folder ownership recursively [macos, linux]
+ - Atomic Test #12: chattr - Remove immutable file attribute [macos, linux]
- [T1144 Gatekeeper Bypass](../../T1144/T1144.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 2dbd2680..f25248cb 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -159,15 +159,15 @@
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #8: Delete Filesystem - Linux [linux]
- [T1222 File and Directory Permissions Modification](../../T1222/T1222.md)
- - Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
- - Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- - Atomic Test #10: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- - Atomic Test #11: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- - Atomic Test #12: chown - Change file or folder ownership and group [macos, linux]
- - Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
- - Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
- - Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
- - Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
+ - Atomic Test #4: chmod - Change file or folder mode (numeric mode) [macos, linux]
+ - Atomic Test #5: chmod - Change file or folder mode (symbolic mode) [macos, linux]
+ - Atomic Test #6: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
+ - Atomic Test #7: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
+ - Atomic Test #8: chown - Change file or folder ownership and group [macos, linux]
+ - Atomic Test #9: chown - Change file or folder ownership and group recursively [macos, linux]
+ - Atomic Test #10: chown - Change file or folder mode ownership only [macos, linux]
+ - Atomic Test #11: chown - Change file or folder ownership recursively [macos, linux]
+ - Atomic Test #12: chattr - Remove immutable file attribute [macos, linux]
- [T1148 HISTCONTROL](../../T1148/T1148.md)
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index ca980471..c223b80e 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -249,15 +249,15 @@
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- [T1222 File and Directory Permissions Modification](../../T1222/T1222.md)
- - Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
- - Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- - Atomic Test #10: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- - Atomic Test #11: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- - Atomic Test #12: chown - Change file or folder ownership and group [macos, linux]
- - Atomic Test #13: chown - Change file or folder ownership and group recursively [macos, linux]
- - Atomic Test #14: chown - Change file or folder mode ownership only [macos, linux]
- - Atomic Test #15: chown - Change file or folder ownership recursively [macos, linux]
- - Atomic Test #16: chattr - Remove immutable file attribute [macos, linux]
+ - Atomic Test #4: chmod - Change file or folder mode (numeric mode) [macos, linux]
+ - Atomic Test #5: chmod - Change file or folder mode (symbolic mode) [macos, linux]
+ - Atomic Test #6: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
+ - Atomic Test #7: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
+ - Atomic Test #8: chown - Change file or folder ownership and group [macos, linux]
+ - Atomic Test #9: chown - Change file or folder ownership and group recursively [macos, linux]
+ - Atomic Test #10: chown - Change file or folder mode ownership only [macos, linux]
+ - Atomic Test #11: chown - Change file or folder ownership recursively [macos, linux]
+ - Atomic Test #12: chattr - Remove immutable file attribute [macos, linux]
- [T1144 Gatekeeper Bypass](../../T1144/T1144.md)
- Atomic Test #1: Gatekeeper Bypass [macos]
- [T1148 HISTCONTROL](../../T1148/T1148.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 942514ee..4e6fdb8f 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -64,12 +64,8 @@
- T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1222 File and Directory Permissions Modification](../../T1222/T1222.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- - Atomic Test #2: Take ownership recursively using takeown utility [windows]
- - Atomic Test #3: cacls - Grant permission to specified user or group [windows]
- - Atomic Test #4: cacls - Grant permission to specified user or group recursively [windows]
- - Atomic Test #5: icacls - Grant permission to specified user or group [windows]
- - Atomic Test #6: icacls - Grant permission to specified user or group recursively [windows]
- - Atomic Test #7: attrib - Remove read-only attribute [windows]
+ - Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
+ - Atomic Test #3: attrib - Remove read-only attribute [windows]
- T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1158 Hidden Files and Directories](../../T1158/T1158.md)
- Atomic Test #3: Create Windows System File with Attrib [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index fd42167c..711a0f14 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -7662,138 +7662,82 @@ defense-evasion:
identifier: T1222
atomic_tests:
- name: Take ownership using takeown utility
- description: 'Modifies the filesystem permissions of the specified file or folder
- to take ownership of the object.
-
-'
+ description: |
+ Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will
+ be displayed for the folder and each file inside of it.
supported_platforms:
- windows
input_arguments:
file_folder_to_own:
description: Path of the file or folder for takeown to take ownership.
type: path
- default: PathToAtomicsFolder\T1222\T1222.yaml
+ default: "%temp%\\T1222_takeown_folder"
+ dependency_executor_name: command_prompt
+ dependencies:
+ - description: Test requrires a file to take ownership of to be located at (#{file_folder_to_own})
+ prereq_command: 'IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 )'
+ get_prereq_command: |-
+ mkdir #{file_folder_to_own}
+ echo T1222_takeown1 >> #{file_folder_to_own}\T1222_takeown1.txt
+ echo T1222_takeown2 >> #{file_folder_to_own}\T1222_takeown2.txt
executor:
name: command_prompt
- command: 'takeown.exe /f #{file_folder_to_own}
-
-'
- - name: Take ownership recursively using takeown utility
- description: 'Modifies the filesystem permissions of the specified folder to
- take ownership of it and its contents.
-
-'
- supported_platforms:
- - windows
- input_arguments:
- folder_to_own:
- description: Path of the folder for takeown to take ownership.
- type: path
- default: PathToAtomicsFolder\T1222
- executor:
- name: command_prompt
- command: 'takeown.exe /f #{folder_to_own} /r
-
-'
- - name: cacls - Grant permission to specified user or group
- description: 'Modifies the filesystem permissions of the specified file or folder
- to allow the specified user or group Full Control.
-
-'
- supported_platforms:
- - windows
- input_arguments:
- file_or_folder:
- description: Path of the file or folder to change permissions.
- type: path
- default: PathToAtomicsFolder\T1222\T1222.yaml
- user_or_group:
- description: User or group to allow full control
- type: string
- default: Everyone
- executor:
- name: command_prompt
- command: 'cacls.exe #{file_or_folder} /grant #{user_or_group}:F
+ command: 'takeown.exe /f #{file_folder_to_own} /r
'
- name: cacls - Grant permission to specified user or group recursively
- description: 'Modifies the filesystem permissions of the specified folder and
- contents to allow the specified user or group Full Control.
-
-'
+ description: |
+ Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied"
+ is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files"
+ will be displayed.
supported_platforms:
- windows
input_arguments:
file_or_folder:
description: Path of the file or folder to change permissions.
type: path
- default: PathToAtomicsFolder\T1222
+ default: "%temp%\\T1222_cacls"
user_or_group:
description: User or group to allow full control
type: string
default: Everyone
+ dependency_executor_name: command_prompt
+ dependencies:
+ - description: Test requrires a file to modifyto be located at (#{file_or_folder})
+ prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )'
+ get_prereq_command: |-
+ mkdir #{file_or_folder}
+ echo T1222_cacls1 >> #{file_or_folder}\T1222_cacls1.txt
+ echo T1222_cacls2 >> #{file_or_folder}\T1222_cacls2.txt
executor:
name: command_prompt
- command: 'cacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
-
-'
- - name: icacls - Grant permission to specified user or group
- description: 'Modifies the filesystem permissions of the specified file or folder
- to allow the specified user or group Full Control.
-
-'
- supported_platforms:
- - windows
- input_arguments:
- file_or_folder:
- description: Path of the file or folder to change permissions.
- type: path
- default: PathToAtomicsFolder\T1222\T1222.yaml
- user_or_group:
- description: User or group to allow full control
- type: string
- default: Everyone
- executor:
- name: command_prompt
- command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F
-
-'
- - name: icacls - Grant permission to specified user or group recursively
- description: 'Modifies the filesystem permissions of the specified folder and
- contents to allow the specified user or group Full Control.
-
-'
- supported_platforms:
- - windows
- input_arguments:
- file_or_folder:
- description: Path of the file or folder to change permissions.
- type: path
- default: PathToAtomicsFolder\T1222
- user_or_group:
- description: User or group to allow full control
- type: string
- default: Everyone
- executor:
- name: command_prompt
- command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
+ command: 'Icacls.exe #{file_or_folder} /grant #{user_or_group}:F
'
- name: attrib - Remove read-only attribute
- description: 'Removes the read-only attribute from a file or folder using the
- attrib.exe command.
-
-'
+ description: |
+ Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed.
+ Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty.
supported_platforms:
- windows
input_arguments:
file_or_folder:
description: Path of the file or folder remove attribute.
type: path
- default: PathToAtomicsFolder\T1222
+ default: "%temp%\\T1222_attrib"
+ dependency_executor_name: command_prompt
+ dependencies:
+ - description: Test requrires a file to modify to be located at (#{file_or_folder})
+ prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )'
+ get_prereq_command: |-
+ mkdir #{file_or_folder}
+ echo T1222_attrib1 >> #{file_or_folder}\T1222_attrib1.txt
+ echo T1222_attrib2 >> #{file_or_folder}\T1222_attrib2.txt
+ attrib.exe +r #{file_or_folder}\T1222_attrib1.txt
+ attrib.exe +r #{file_or_folder}\T1222_attrib2.txt
executor:
name: command_prompt
- command: 'attrib.exe -r #{file_or_folder}
+ command: 'attrib.exe -r #{file_or_folder}\*.* /s
'
- name: chmod - Change file or folder mode (numeric mode)
diff --git a/atomics/T1222/T1222.md b/atomics/T1222/T1222.md
index 8fdcae17..dad759b2 100644
--- a/atomics/T1222/T1222.md
+++ b/atomics/T1222/T1222.md
@@ -8,41 +8,34 @@ Adversaries may modify file or directory permissions/attributes to evade intende
- [Atomic Test #1 - Take ownership using takeown utility](#atomic-test-1---take-ownership-using-takeown-utility)
-- [Atomic Test #2 - Take ownership recursively using takeown utility](#atomic-test-2---take-ownership-recursively-using-takeown-utility)
+- [Atomic Test #2 - cacls - Grant permission to specified user or group recursively](#atomic-test-2---cacls---grant-permission-to-specified-user-or-group-recursively)
-- [Atomic Test #3 - cacls - Grant permission to specified user or group](#atomic-test-3---cacls---grant-permission-to-specified-user-or-group)
+- [Atomic Test #3 - attrib - Remove read-only attribute](#atomic-test-3---attrib---remove-read-only-attribute)
-- [Atomic Test #4 - cacls - Grant permission to specified user or group recursively](#atomic-test-4---cacls---grant-permission-to-specified-user-or-group-recursively)
+- [Atomic Test #4 - chmod - Change file or folder mode (numeric mode)](#atomic-test-4---chmod---change-file-or-folder-mode-numeric-mode)
-- [Atomic Test #5 - icacls - Grant permission to specified user or group](#atomic-test-5---icacls---grant-permission-to-specified-user-or-group)
+- [Atomic Test #5 - chmod - Change file or folder mode (symbolic mode)](#atomic-test-5---chmod---change-file-or-folder-mode-symbolic-mode)
-- [Atomic Test #6 - icacls - Grant permission to specified user or group recursively](#atomic-test-6---icacls---grant-permission-to-specified-user-or-group-recursively)
+- [Atomic Test #6 - chmod - Change file or folder mode (numeric mode) recursively](#atomic-test-6---chmod---change-file-or-folder-mode-numeric-mode-recursively)
-- [Atomic Test #7 - attrib - Remove read-only attribute](#atomic-test-7---attrib---remove-read-only-attribute)
+- [Atomic Test #7 - chmod - Change file or folder mode (symbolic mode) recursively](#atomic-test-7---chmod---change-file-or-folder-mode-symbolic-mode-recursively)
-- [Atomic Test #8 - chmod - Change file or folder mode (numeric mode)](#atomic-test-8---chmod---change-file-or-folder-mode-numeric-mode)
+- [Atomic Test #8 - chown - Change file or folder ownership and group](#atomic-test-8---chown---change-file-or-folder-ownership-and-group)
-- [Atomic Test #9 - chmod - Change file or folder mode (symbolic mode)](#atomic-test-9---chmod---change-file-or-folder-mode-symbolic-mode)
+- [Atomic Test #9 - chown - Change file or folder ownership and group recursively](#atomic-test-9---chown---change-file-or-folder-ownership-and-group-recursively)
-- [Atomic Test #10 - chmod - Change file or folder mode (numeric mode) recursively](#atomic-test-10---chmod---change-file-or-folder-mode-numeric-mode-recursively)
+- [Atomic Test #10 - chown - Change file or folder mode ownership only](#atomic-test-10---chown---change-file-or-folder-mode-ownership-only)
-- [Atomic Test #11 - chmod - Change file or folder mode (symbolic mode) recursively](#atomic-test-11---chmod---change-file-or-folder-mode-symbolic-mode-recursively)
+- [Atomic Test #11 - chown - Change file or folder ownership recursively](#atomic-test-11---chown---change-file-or-folder-ownership-recursively)
-- [Atomic Test #12 - chown - Change file or folder ownership and group](#atomic-test-12---chown---change-file-or-folder-ownership-and-group)
-
-- [Atomic Test #13 - chown - Change file or folder ownership and group recursively](#atomic-test-13---chown---change-file-or-folder-ownership-and-group-recursively)
-
-- [Atomic Test #14 - chown - Change file or folder mode ownership only](#atomic-test-14---chown---change-file-or-folder-mode-ownership-only)
-
-- [Atomic Test #15 - chown - Change file or folder ownership recursively](#atomic-test-15---chown---change-file-or-folder-ownership-recursively)
-
-- [Atomic Test #16 - chattr - Remove immutable file attribute](#atomic-test-16---chattr---remove-immutable-file-attribute)
+- [Atomic Test #12 - chattr - Remove immutable file attribute](#atomic-test-12---chattr---remove-immutable-file-attribute)
## Atomic Test #1 - Take ownership using takeown utility
-Modifies the filesystem permissions of the specified file or folder to take ownership of the object.
+Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will
+be displayed for the folder and each file inside of it.
**Supported Platforms:** Windows
@@ -52,55 +45,42 @@ Modifies the filesystem permissions of the specified file or folder to take owne
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| file_folder_to_own | Path of the file or folder for takeown to take ownership. | path | PathToAtomicsFolder\T1222\T1222.yaml|
+| file_folder_to_own | Path of the file or folder for takeown to take ownership. | path | %temp%\T1222_takeown_folder|
#### Attack Commands: Run with `command_prompt`!
```cmd
-takeown.exe /f #{file_folder_to_own}
+takeown.exe /f #{file_folder_to_own} /r
```
-
-
-
-
-
-## Atomic Test #2 - Take ownership recursively using takeown utility
-Modifies the filesystem permissions of the specified folder to take ownership of it and its contents.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| folder_to_own | Path of the folder for takeown to take ownership. | path | PathToAtomicsFolder\T1222|
-
-
-#### Attack Commands: Run with `command_prompt`!
-
-
+#### Dependencies: Run with `command_prompt`!
+##### Description: Test requrires a file to take ownership of to be located at (#{file_folder_to_own})
+##### Check Prereq Commands:
```cmd
-takeown.exe /f #{folder_to_own} /r
+IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+mkdir #{file_folder_to_own}
+echo T1222_takeown1 >> #{file_folder_to_own}\T1222_takeown1.txt
+echo T1222_takeown2 >> #{file_folder_to_own}\T1222_takeown2.txt
```
-
-
-## Atomic Test #3 - cacls - Grant permission to specified user or group
-Modifies the filesystem permissions of the specified file or folder to allow the specified user or group Full Control.
+## Atomic Test #2 - cacls - Grant permission to specified user or group recursively
+Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied"
+is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files"
+will be displayed.
**Supported Platforms:** Windows
@@ -110,7 +90,7 @@ Modifies the filesystem permissions of the specified file or folder to allow the
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder to change permissions. | path | PathToAtomicsFolder\T1222\T1222.yaml|
+| file_or_folder | Path of the file or folder to change permissions. | path | %temp%\T1222_cacls|
| user_or_group | User or group to allow full control | string | Everyone|
@@ -118,19 +98,34 @@ Modifies the filesystem permissions of the specified file or folder to allow the
```cmd
-cacls.exe #{file_or_folder} /grant #{user_or_group}:F
+Icacls.exe #{file_or_folder} /grant #{user_or_group}:F
```
+#### Dependencies: Run with `command_prompt`!
+##### Description: Test requrires a file to modifyto be located at (#{file_or_folder})
+##### Check Prereq Commands:
+```cmd
+IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
+```
+##### Get Prereq Commands:
+```cmd
+mkdir #{file_or_folder}
+echo T1222_cacls1 >> #{file_or_folder}\T1222_cacls1.txt
+echo T1222_cacls2 >> #{file_or_folder}\T1222_cacls2.txt
+```
+
+
-## Atomic Test #4 - cacls - Grant permission to specified user or group recursively
-Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control.
+## Atomic Test #3 - attrib - Remove read-only attribute
+Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed.
+Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty.
**Supported Platforms:** Windows
@@ -140,115 +135,41 @@ Modifies the filesystem permissions of the specified folder and contents to allo
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder to change permissions. | path | PathToAtomicsFolder\T1222|
-| user_or_group | User or group to allow full control | string | Everyone|
+| file_or_folder | Path of the file or folder remove attribute. | path | %temp%\T1222_attrib|
#### Attack Commands: Run with `command_prompt`!
```cmd
-cacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
+attrib.exe -r #{file_or_folder}\*.* /s
```
-
-
-
-
-
-## Atomic Test #5 - icacls - Grant permission to specified user or group
-Modifies the filesystem permissions of the specified file or folder to allow the specified user or group Full Control.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder to change permissions. | path | PathToAtomicsFolder\T1222\T1222.yaml|
-| user_or_group | User or group to allow full control | string | Everyone|
-
-
-#### Attack Commands: Run with `command_prompt`!
-
-
+#### Dependencies: Run with `command_prompt`!
+##### Description: Test requrires a file to modify to be located at (#{file_or_folder})
+##### Check Prereq Commands:
```cmd
-icacls.exe #{file_or_folder} /grant #{user_or_group}:F
+IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
```
-
-
-
-
-
-
-
-
-
-## Atomic Test #6 - icacls - Grant permission to specified user or group recursively
-Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder to change permissions. | path | PathToAtomicsFolder\T1222|
-| user_or_group | User or group to allow full control | string | Everyone|
-
-
-#### Attack Commands: Run with `command_prompt`!
-
-
+##### Get Prereq Commands:
```cmd
-icacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
+mkdir #{file_or_folder}
+echo T1222_attrib1 >> #{file_or_folder}\T1222_attrib1.txt
+echo T1222_attrib2 >> #{file_or_folder}\T1222_attrib2.txt
+attrib.exe +r #{file_or_folder}\T1222_attrib1.txt
+attrib.exe +r #{file_or_folder}\T1222_attrib2.txt
```
-
-
-## Atomic Test #7 - attrib - Remove read-only attribute
-Removes the read-only attribute from a file or folder using the attrib.exe command.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| file_or_folder | Path of the file or folder remove attribute. | path | PathToAtomicsFolder\T1222|
-
-
-#### Attack Commands: Run with `command_prompt`!
-
-
-```cmd
-attrib.exe -r #{file_or_folder}
-```
-
-
-
-
-
-
-
-
-
-## Atomic Test #8 - chmod - Change file or folder mode (numeric mode)
+## Atomic Test #4 - chmod - Change file or folder mode (numeric mode)
Changes a file or folder's permissions using chmod and a specified numeric mode.
**Supported Platforms:** macOS, Linux
@@ -278,7 +199,7 @@ chmod #{numeric_mode} #{file_or_folder}
-## Atomic Test #9 - chmod - Change file or folder mode (symbolic mode)
+## Atomic Test #5 - chmod - Change file or folder mode (symbolic mode)
Changes a file or folder's permissions using chmod and a specified symbolic mode.
**Supported Platforms:** macOS, Linux
@@ -308,7 +229,7 @@ chmod #{symbolic_mode} #{file_or_folder}
-## Atomic Test #10 - chmod - Change file or folder mode (numeric mode) recursively
+## Atomic Test #6 - chmod - Change file or folder mode (numeric mode) recursively
Changes a file or folder's permissions recursively using chmod and a specified numeric mode.
**Supported Platforms:** macOS, Linux
@@ -338,7 +259,7 @@ chmod #{numeric_mode} #{file_or_folder} -R
-## Atomic Test #11 - chmod - Change file or folder mode (symbolic mode) recursively
+## Atomic Test #7 - chmod - Change file or folder mode (symbolic mode) recursively
Changes a file or folder's permissions recursively using chmod and a specified symbolic mode.
**Supported Platforms:** macOS, Linux
@@ -368,7 +289,7 @@ chmod #{symbolic_mode} #{file_or_folder} -R
-## Atomic Test #12 - chown - Change file or folder ownership and group
+## Atomic Test #8 - chown - Change file or folder ownership and group
Changes a file or folder's ownership and group information using chown.
**Supported Platforms:** macOS, Linux
@@ -399,7 +320,7 @@ chown #{owner}:#{group} #{file_or_folder}
-## Atomic Test #13 - chown - Change file or folder ownership and group recursively
+## Atomic Test #9 - chown - Change file or folder ownership and group recursively
Changes a file or folder's ownership and group information recursively using chown.
**Supported Platforms:** macOS, Linux
@@ -430,7 +351,7 @@ chown #{owner}:#{group} #{file_or_folder} -R
-## Atomic Test #14 - chown - Change file or folder mode ownership only
+## Atomic Test #10 - chown - Change file or folder mode ownership only
Changes a file or folder's ownership only using chown.
**Supported Platforms:** macOS, Linux
@@ -460,7 +381,7 @@ chown #{owner} #{file_or_folder}
-## Atomic Test #15 - chown - Change file or folder ownership recursively
+## Atomic Test #11 - chown - Change file or folder ownership recursively
Changes a file or folder's ownership only recursively using chown.
**Supported Platforms:** macOS, Linux
@@ -490,7 +411,7 @@ chown #{owner} #{file_or_folder} -R
-## Atomic Test #16 - chattr - Remove immutable file attribute
+## Atomic Test #12 - chattr - Remove immutable file attribute
Remove's a file's `immutable` attribute using `chattr`.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.