File and Directory Permissions Modification: Изменение разрешений для файлов и каталогов (Linux и Mac)
Other sub-techniques of File and Directory Permissions Modification (2)
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: chown
(short for change owner), and chmod
(short for change mode).
Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Unix Shell Configuration Modification or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.(Citation: 20 macOS Common Tools and Techniques)
Примеры процедур |
|
Название | Описание |
---|---|
TeamTNT |
TeamTNT has modified the permissions on binaries with |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via |
P.A.S. Webshell |
P.A.S. Webshell has the ability to modify file permissions.(Citation: ANSSI Sandworm January 2021) |
Kinsing |
Kinsing has used chmod to modify permissions on key files for use.(Citation: Aqua Kinsing April 2020) |
OSX/Shlayer |
OSX/Shlayer can use the |
COATHANGER |
COATHANGER will set the GID of `httpsd` to 90 when infected.(Citation: NCSC-NL COATHANGER Feb 2024) |
Black Basta |
The Black Basta binary can use `chmod` to gain full permissions to targeted files.(Citation: Uptycs Black Basta ESXi June 2022) |
Dok |
Dok gives all users execute permissions for the application using the command |
KV Botnet Activity altered permissions on downloaded tools and payloads to enable execution on victim machines.(Citation: Lumen KVBotnet 2023) |
|
XCSSET |
XCSSET uses the |
Rocke |
Rocke has changed file permissions of files so they could not be modified.(Citation: Anomali Rocke March 2019) |
APT32 |
APT32's macOS backdoor changes the permission of the file it wants to execute to 755.(Citation: ESET OceanLotus macOS April 2019) |
Penquin |
Penquin can add the executable flag to a downloaded file.(Citation: Leonardo Turla Penquin May 2020) |
Bundlore |
Bundlore changes the permissions of a payload using the command |
Контрмеры |
|
Контрмера | Описание |
---|---|
Restrict File and Directory Permissions |
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Обнаружение
Monitor and investigate attempts to modify ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. Commonly abused command arguments include chmod +x
, chmod -R 755
, and chmod 777
.(Citation: 20 macOS Common Tools and Techniques)
Consider enabling file/directory permission change auditing on folders containing key binary/configuration files.
Ссылки
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018.
- Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
- Phil Stokes. (2020, December 2). APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique. Retrieved September 13, 2021.
- ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
- Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
- Jaron Bradley. (2021, April 26). Shlayer malware abusing Gatekeeper bypass on macOS. Retrieved September 22, 2021.
- Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
- Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
- Sharma, S. and Hegde, N. (2022, June 7). Black basta Ransomware Goes Cross-Platform, Now Targets ESXi Systems. Retrieved March 8, 2023.
- Ofer Caspi. (2017, May 4). OSX Malware is Catching Up, and it wants to Read Your HTTPS Traffic. Retrieved October 5, 2021.
- Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.