Tony M Lambert
356 lines
9.0 KiB
YAML
356 lines
9.0 KiB
YAML
---
|
|
attack_technique: T1222
|
|
display_name: File Permissions Modification
|
|
|
|
atomic_tests:
|
|
- name: Take ownership using takeown utility
|
|
description: |
|
|
Modifies the filesystem permissions of the specified file or folder to take ownership of the object.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
file_folder_to_own:
|
|
description: Path of the file or folder for takeown to take ownership.
|
|
type: path
|
|
default: C:\AtomicRedTeam\atomics\T1222\T1222.yaml
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
takeown.exe /f #{file_folder_to_own}
|
|
|
|
- name: Take ownership recursively using takeown utility
|
|
description: |
|
|
Modifies the filesystem permissions of the specified folder to take ownership of it and its contents.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
folder_to_own:
|
|
description: Path of the folder for takeown to take ownership.
|
|
type: path
|
|
default: C:\AtomicRedTeam\atomics\T1222
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
takeown.exe /f #{folder_to_own} /r
|
|
|
|
- name: cacls - Grant permission to specified user or group
|
|
description: |
|
|
Modifies the filesystem permissions of the specified file or folder to allow the specified user or group Full Control.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder to change permissions.
|
|
type: path
|
|
default: C:\AtomicRedTeam\atomics\T1222\T1222.yaml
|
|
user_or_group:
|
|
description: User or group to allow full control
|
|
type: string
|
|
default: Everyone
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
cacls.exe #{file_or_folder} /grant #{user_or_group}:F
|
|
|
|
- name: cacls - Grant permission to specified user or group recursively
|
|
description: |
|
|
Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder to change permissions.
|
|
type: path
|
|
default: C:\AtomicRedTeam\atomics\T1222
|
|
user_or_group:
|
|
description: User or group to allow full control
|
|
type: string
|
|
default: Everyone
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
cacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
|
|
|
|
- name: icacls - Grant permission to specified user or group
|
|
description: |
|
|
Modifies the filesystem permissions of the specified file or folder to allow the specified user or group Full Control.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder to change permissions.
|
|
type: path
|
|
default: C:\AtomicRedTeam\atomics\T1222\T1222.yaml
|
|
user_or_group:
|
|
description: User or group to allow full control
|
|
type: string
|
|
default: Everyone
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
icacls.exe #{file_or_folder} /grant #{user_or_group}:F
|
|
|
|
- name: icacls - Grant permission to specified user or group recursively
|
|
description: |
|
|
Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder to change permissions.
|
|
type: path
|
|
default: C:\AtomicRedTeam\atomics\T1222
|
|
user_or_group:
|
|
description: User or group to allow full control
|
|
type: string
|
|
default: Everyone
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
icacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
|
|
|
|
- name: attrib - Remove read-only attribute
|
|
description: |
|
|
Removes the read-only attribute from a file or folder using the attrib.exe command.
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder remove attribute.
|
|
type: path
|
|
default: C:\AtomicRedTeam\atomics\T1222
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
attrib.exe -r #{file_or_folder}
|
|
|
|
- name: chmod - Change file or folder mode (numeric mode)
|
|
description: |
|
|
Changes a file or folder's permissions using chmod and a specified numeric mode.
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder
|
|
type: path
|
|
default: /tmp/AtomicRedTeam/atomics/T1222
|
|
numeric_mode:
|
|
description: Specified numeric mode value
|
|
type: string
|
|
default: 755
|
|
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
chmod #{numeric_mode} #{file_or_folder}
|
|
|
|
- name: chmod - Change file or folder mode (symbolic mode)
|
|
description: |
|
|
Changes a file or folder's permissions using chmod and a specified symbolic mode.
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder
|
|
type: path
|
|
default: /tmp/AtomicRedTeam/atomics/T1222
|
|
symbolic_mode:
|
|
description: Specified symbolic mode value
|
|
type: string
|
|
default: a+w
|
|
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
chmod #{symbolic_mode} #{file_or_folder}
|
|
|
|
- name: chmod - Change file or folder mode (numeric mode) recursively
|
|
description: |
|
|
Changes a file or folder's permissions recursively using chmod and a specified numeric mode.
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder
|
|
type: path
|
|
default: /tmp/AtomicRedTeam/atomics/T1222
|
|
numeric_mode:
|
|
description: Specified numeric mode value
|
|
type: string
|
|
default: 755
|
|
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
chmod #{numeric_mode} #{file_or_folder} -R
|
|
|
|
- name: chmod - Change file or folder mode (symbolic mode) recursively
|
|
description: |
|
|
Changes a file or folder's permissions recursively using chmod and a specified symbolic mode.
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder
|
|
type: path
|
|
default: /tmp/AtomicRedTeam/atomics/T1222
|
|
symbolic_mode:
|
|
description: Specified symbolic mode value
|
|
type: string
|
|
default: a+w
|
|
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
chmod #{symbolic_mode} #{file_or_folder} -R
|
|
|
|
- name: chown - Change file or folder ownership and group
|
|
description: |
|
|
Changes a file or folder's ownership and group information using chown.
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder
|
|
type: path
|
|
default: /tmp/AtomicRedTeam/atomics/T1222/T1222.yaml
|
|
owner:
|
|
description: Username of desired owner
|
|
type: string
|
|
default: root
|
|
group:
|
|
description: Group name of desired group
|
|
type: string
|
|
default: root
|
|
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
chown #{owner}:#{group} #{file_or_folder}
|
|
|
|
- name: chown - Change file or folder ownership and group recursively
|
|
description: |
|
|
Changes a file or folder's ownership and group information recursively using chown.
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder
|
|
type: path
|
|
default: /tmp/AtomicRedTeam/atomics/T1222
|
|
owner:
|
|
description: Username of desired owner
|
|
type: string
|
|
default: root
|
|
group:
|
|
description: Group name of desired group
|
|
type: string
|
|
default: root
|
|
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
chown #{owner}:#{group} #{file_or_folder} -R
|
|
|
|
- name: chown - Change file or folder mode ownership only
|
|
description: |
|
|
Changes a file or folder's ownership only using chown.
|
|
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder
|
|
type: path
|
|
default: /tmp/AtomicRedTeam/atomics/T1222/T1222.yaml
|
|
owner:
|
|
description: Username of desired owner
|
|
type: string
|
|
default: root
|
|
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
chown #{owner} #{file_or_folder}
|
|
|
|
- name: chown - Change file or folder ownership recursively
|
|
description: |
|
|
Changes a file or folder's ownership only recursively using chown.
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
input_arguments:
|
|
file_or_folder:
|
|
description: Path of the file or folder
|
|
type: path
|
|
default: /tmp/AtomicRedTeam/atomics/T1222
|
|
owner:
|
|
description: Username of desired owner
|
|
type: string
|
|
default: root
|
|
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
chown #{owner} #{file_or_folder} -R
|
|
|
|
- name: chattr - Remove immutable file attribute
|
|
description: |
|
|
Remove's a file's `immutable` attribute using `chattr`.
|
|
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
|
|
supported_platforms:
|
|
- macos
|
|
- linux
|
|
|
|
input_arguments:
|
|
file_to_modify:
|
|
description: Path of the file
|
|
type: path
|
|
default: /var/spool/cron/root
|
|
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
chattr -i #{file_to_modify}
|