File and Directory Permissions Modification (T1222)

View on ATT&CK

In Playbook

Associated Tactics

  • Defense Evasion

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Falcon OverWatch Team. (2022, March 23). Falcon OverWatch Threat Hunting Contributes to Seamless Protection Against Novel BlackCat Attack. Retrieved May 5, 2022. falconoverwatch_blackcat_attack
Hybrid Analysis. (2018, June 12). c9b65b764985dfd7a11d3faf599c56b8.exe. Retrieved August 19, 2018. Hybrid Analysis Icacls1 June 2018
Hybrid Analysis. (2018, May 30). 2a8efbfadd798f6111340f7c1c956bee.dll. Retrieved August 19, 2018. Hybrid Analysis Icacls2 May 2018
Kaspersky Global Research & Analysis Team (GReAT). (2022). A Bad Luck BlackCat. Retrieved May 5, 2022. bad_luck_blackcat
Microsoft. (2021, September 27). fsutil behavior. Retrieved January 14, 2022. fsutil_behavior
Netsurion. (2014, February 19). Monitoring File Permission Changes with the Windows Security Log. Retrieved August 19, 2018. EventTracker File Permissions Feb 2014
Pereira, T. Huey, C. (2022, March 17). From BlackMatter to BlackCat: Analyzing two attacks from one affiliate. Retrieved May 5, 2022. blackmatter_blackcat
Symantec Threat Hunter Team. (2021, December 16). Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware. Retrieved January 14, 2022. new_rust_based_ransomware