Windows File Permissions Modification¶
File permissions are commonly managed by discretionary access control lists (DACLs) specified by the file owner. Adversaries may modify file permissions/attributes to evade intended DACLs.
| id: | a099cb16-1a92-4503-9102-56cc84a51ad1 |
|---|---|
| categories: | enrich |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion |
|---|---|
| techniques: | T1222 File Permissions Modification |
Query¶
process where subtype.create and (
process_name == "attrib.exe" and command_line == "* +h*" or
process_name == "takeown.exe" or
process_name == "icacls.exe" and command_line == "*grant*"
)