Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.
Techniques Addressed by Mitigation
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | Abuse Elevation Control Mechanism |
The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege. |
|
.003 | Sudo and Sudo Caching |
The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege. |
||
Enterprise | T1098 | .004 | Account Manipulation: SSH Authorized Keys |
Restrict access to the |
Enterprise | T1547 | .003 | Boot or Logon Autostart Execution: Time Providers |
Consider using Group Policy to configure and block additions/modifications to W32Time DLLs. [1] |
.011 | Boot or Logon Autostart Execution: Plist Modification |
Prevent plist files from being modified by users by making them read-only. |
||
Enterprise | T1037 | Boot or Logon Initialization Scripts |
Restrict write access to logon scripts to specific administrators. |
|
.002 | Logon Script (Mac) |
Restrict write access to logon scripts to specific administrators. |
||
.003 | Network Logon Script |
Restrict write access to logon scripts to specific administrators. |
||
.005 | Startup Items |
Since StartupItems are deprecated, preventing all users from writing to the |
||
.004 | Rc.common |
Limit privileges of user accounts so only authorized users can edit the rc.common file. |
||
Enterprise | T1543 | Create or Modify System Process |
Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services. |
|
.002 | Systemd Service |
Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. |
||
Enterprise | T1530 | Data from Cloud Storage Object |
Use access control lists on storage systems and objects. |
|
Enterprise | T1565 | Data Manipulation |
Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. |
|
.001 | Stored Data Manipulation |
Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. |
||
.003 | Runtime Data Manipulation |
Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. |
||
Enterprise | T1546 | .004 | Event Triggered Execution: .bash_profile and .bashrc |
Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence. |
.013 | Event Triggered Execution: PowerShell Profile |
Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence. |
||
Enterprise | T1222 | File and Directory Permissions Modification |
Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists. |
|
.001 | Windows File and Directory Permissions Modification |
Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists. |
||
.002 | Linux and Mac File and Directory Permissions Modification |
Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists. |
||
Enterprise | T1564 | .004 | Hide Artifacts: NTFS File Attributes |
Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. [2] |
Enterprise | T1574 | Hijack Execution Flow |
Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders. |
|
.009 | Path Interception by Unquoted Path |
Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
||
.007 | Path Interception by PATH Environment Variable |
Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
||
.008 | Path Interception by Search Order Hijacking |
Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
||
.002 | DLL Side-Loading |
Install software in write-protected locations. |
||
.004 | Dylib Hijacking |
Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders. |
||
Enterprise | T1562 | Impair Defenses |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security/logging services. |
|
.001 | Disable or Modify Tools |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services. |
||
.002 | Disable Windows Event Logging |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering logging. |
||
.004 | Disable or Modify System Firewall |
Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
||
.006 | Indicator Blocking |
Ensure event tracers/forwarders [3], firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. |
||
Enterprise | T1070 | Indicator Removal on Host |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
|
.001 | Clear Windows Event Logs |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
||
.002 | Clear Linux or Mac System Logs |
Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
||
.003 | Clear Command History |
Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their |
||
Enterprise | T1036 | Masquerading |
Use file system access controls to protect folders such as C:\Windows\System32. |
|
.003 | Rename System Utilities |
Use file system access controls to protect folders such as C:\Windows\System32. |
||
.005 | Match Legitimate Name or Location |
Use file system access controls to protect folders such as C:\Windows\System32. |
||
Enterprise | T1055 | .009 | Process Injection: Proc Memory |
Restrict the permissions on sensitive files such as |
Enterprise | T1563 | .001 | Remote Service Session Hijacking: SSH Hijacking |
Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. |
Enterprise | T1053 | .006 | Scheduled Task/Job: Systemd Timers |
Restrict read/write access to systemd |
Enterprise | T1489 | Service Stop |
Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
|
Enterprise | T1218 | .002 | Signed Binary Proxy Execution: Control Panel |
Restrict storage and execution of Control Panel items to protected directories, such as |
Enterprise | T1553 | .003 | Subvert Trust Controls: SIP and Trust Provider Hijacking |
Restrict storage and execution of SIP DLLs to protected directories, such as C:\Windows, rather than user directories. |
Enterprise | T1569 | System Services |
Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level. |
|
.002 | Service Execution |
Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level. |
||
Enterprise | T1080 | Taint Shared Content |
Protect shared folders by minimizing users who have write access. |
|
Enterprise | T1552 | Unsecured Credentials |
Restrict file shares to specific directories with access only to necessary users. |
|
.001 | Credentials In Files |
Restrict file shares to specific directories with access only to necessary users. |
||
.004 | Private Keys |
Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. |