Details

• ID: CM0003
• Version: 1.0
• Created: 14 March 2025
• Modified: 14 March 2025
• Type: Enable
• Status: Active

Intended Outcome

Configuring file and directory permissions blocks adversary privilege escalation using lax permissions.

Introduction

Critical system files and directories play an integral part in the processes and functions of a system. The specific files and directories will vary by operating system. Examples include:Windows: C:\Windows\System32\\*, C:\Windows\system.ini, C:\config.syLinux: /etc/\, /sbin/\, /bin/\, /lib/system/\, /boot/\*Mac: ~/System/\, /sbin/\, /Library/\, /bin/\

Preparation

1. Establish and review the baseline of file permissions.
2. Ensure access to an operating system-appropriate file permission viewer.
3. Identify which files you wish to verify the permissions of, which may involve finding/creating a list of critical system files and directories.

Risks

• Corrupting or deleting critical system files can lead to system failures.
• Incorrect identification of a malicious permission allows the adversary to continue to operate, while incorrect identification of a legitimate permission can break legitimate functionality. A baseline of legitimate permissions for files can reduce the
likelihood of implementation errors.

Guidance

The Reference section lists some of the most popular tools for file permission verification and configuration (grouped by operating system). Please consult the associated manuals for usage guidance.

References

• Center for Internet Security (CIS) Benchmarks | https://learn.microsoft.com/en-us/compliance/regulatory/offering-CIS-Benchmark
• Security baselines | https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines

Windows

• Find and open File Explorer | https://support.microsoft.com/en-us/windows/find-and-open-file-explorer-ef370130-1cca-9dc5-e0df-2f7416fe1cb1
• NTFSSecurity 4.2.4 | https://www.powershellgallery.com/packages/NTFSSecurity/4.2.4
• AccessChk v6.15 | https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk
• AccessEnum v1.35 | https://learn.microsoft.com/en-us/sysinternals/downloads/accessenum
• icacls | https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
• 4670(S): Permissions on an object were changed | https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4670
• Sysinternals Utilities Index | https://learn.microsoft.com/en-us/sysinternals/downloads/
• Description of the Windows File Protection feature | https://support.microsoft.com/en-us/topic/description-of-the-windows-file-protection-feature-db28f515-6512-63d1-6178-982ed2022ffb
• What is the System32 Directory? (and Why You Shouldn't Delete It) | https://www.howtogeek.com/346997/what-is-the-system32-directory-and-why-you-shouldnt-delete-it/
• Use the System File Checker tool to repair missing or corrupted system files | https://support.microsoft.com/en-us/topic/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files-79aa86cb-ca52-166a-92a3-966e85d4094e
• File Integrity Monitoring in Microsoft Defender for Cloud | https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-overview

Linux

• ls(1) Linux manual page | https://www.man7.org/linux/man-pages/man1/ls.1.html
• stat(2) Linux manual page | https://www.man7.org/linux/man-pages/man2/stat.2.html
• GNOME/Nautilus | https://github.com/GNOME/nautilus
• Dolphin | https://userbase.kde.org/Dolphin

MacOS

• Organize your files in the Finder on Mac | https://support.apple.com/guide/mac-help/organize-your-files-in-the-finder-mchlp2605/mac
• How to gain access to the System folder on your Mac? | https://macpaw.com/how-to/access-system-folder-mac