Common Information
| Type | Value |
|---|---|
| Value |
File and Directory Permissions Modification - T1222 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.). Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). Adversaries may also change permissions of symbolic links. For example, malware (particularly ransomware) may modify symbolic links and associated settings to enable access to files from local shortcuts with remote paths.(Citation: new_rust_based_ransomware)(Citation: bad_luck_blackcat)(Citation: falconoverwatch_blackcat_attack)(Citation: blackmatter_blackcat)(Citation: fsutil_behavior) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2024-11-14 | 72 | Weekly Intelligence Report - 15 Nov 2024 | #ransomware | #cybercrime | National Cyber Security Consulting | ||
| Details | Website | 2024-11-07 | 63 | Weekly Intelligence Report - 08 Nov 2024 | #ransomware | #cybercrime | National Cyber Security Consulting | ||
| Details | Website | 2024-11-01 | 43 | Ngioweb Remains Active 7 Years Later | ||
| Details | Website | 2024-11-01 | 62 | Weekly Intelligence Report - 01 Nov 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting | ||
| Details | Website | 2024-10-18 | 44 | Weekly Intelligence Report - 18 Oct 2024 | #ransomware | #cybercrime | National Cyber Security Consulting | ||
| Details | Website | 2024-10-17 | 42 | New macOS vulnerability, “HM Surf”, could lead to unauthorized data access | ||
| Details | Website | 2024-10-11 | 71 | Weekly Intelligence Report - 11 Oct 2024 | #ransomware | #cybercrime | National Cyber Security Consulting | ||
| Details | Website | 2024-10-10 | 9 | AhnLab EDR을 활용한 BPFDoor 리눅스 악성코드 탐지 - ASEC | ||
| Details | Website | 2024-10-09 | 9 | BPFDoor Linux Malware Detected by AhnLab EDR - ASEC | ||
| Details | Website | 2024-09-30 | 27 | Threat Intelligence Report 24th September – 30th September 2024 | ||
| Details | Website | 2024-09-27 | 123 | Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse — Elastic Security Labs | ||
| Details | Website | 2024-09-20 | 29 | How Ransomhub Ransomware Uses EDRKillShifter to Disable EDR and Antivirus Protections | ||
| Details | Website | 2024-09-12 | 13 | Emulating the Persistent and Stealthy Ebury Linux Malware | ||
| Details | Website | 2024-09-04 | 71 | AZORult Malware: Technical Analysis - ANY.RUN's Cybersecurity Blog | ||
| Details | Website | 2024-08-29 | 34 | DNS Early Detection - Malicious Trojan Installers for WINSCP and PUTTY - Breaking the Kill Chain | Infoblox | ||
| Details | Website | 2024-07-05 | 12 | Turning Jenkins Into a Cryptomining Machine From an Attackers Perspective | ||
| Details | Website | 2024-06-01 | 48 | Ngioweb Remains Active 7 Years Later | ||
| Details | Website | 2024-03-06 | 59 | Тень пентестера: эксперты F.A.C.C.T. исследовали неизвестные атаки вымогателей Shadow | ||
| Details | Website | 2024-01-04 | 63 | ATT&CK을 이용해 스스로 평가하기(APT3, Second Scenario) | ||
| Details | Website | 2023-11-06 | 42 | Rapid7-Observed Exploitation of Atlassian Confluence CVE-2023-22518 | Rapid7 Blog | ||
| Details | Website | 2023-11-06 | 203 | SideCopy’s Multi-platform Onslaught: Leveraging WinRAR Zero-Day and Linux Variant of Ares RAT - Blogs on Information Technology, Network & Cybersecurity | Seqrite | ||
| Details | Website | 2023-10-31 | 72 | Unveiling the Dark Side: A Deep Dive into Active Ransomware Families | ||
| Details | Website | 2023-10-25 | 94 | A pirated program downloaded from a torrent site infected hundreds of thousands of users | ||
| Details | Website | 2023-08-23 | 70 | Malware-as-a-Service: Redline Stealer Variants Demonstrate a Low-Barrier-to-Entry Threat | ||
| Details | Website | 2023-07-27 | 50 | Dark Web Profile: 8Base Ransomware |