Windows File and Directory Permissions Modification
Last updated
Last updated
Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs). Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.
Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, PowerShell provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Accessibility Features, Boot or Logon Initialization Scripts, or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.
Example:
Some great examples on Permissions modifications we encounter in some assessments. Let's check the following example.
We have a "Permissions" folder that our current user dwinchester has no permissions in.
No permissions to view as well.
So here we can use these tools icacls, cacls, takeown and attrib just to not exaggerate on the tools I will demonstrate how an adversary can gain permission once someone has elevated privileges or is the correct user.
I have DENY permission even with a Local Administrator Account so I will take some steps to change the user permissions.
Takeown
Icacls
Then we finally have managed to give ourselves and user the permissions necessary to modify the folder.
A simple demonstration on how we can modify folder permissions as mentioned previously we can use this technique for various other techniques. Persistence, Defense Evasion, hijack Execution Flow and others.
