文件和目录权限修改指攻击者通过变更文件系统对象的访问控制设置,绕过安全策略获取未授权访问权限。该技术常被用于持久化驻留、防御规避或数据篡改等攻击阶段,涉及ACL修改、属主变更、继承属性调整等操作。防御方通常通过审计权限变更日志(如Windows事件ID 4670)、监控系统工具(如icacls、chmod)的使用行为,以及实施文件完整性监控(FIM)等手段进行检测。
为规避传统检测机制对显式权限变更的监控,攻击者发展出多维度隐匿策略,通过权限操作的间接化、时序化和路径化改造,将恶意权限调整行为嵌入系统合法操作流中,形成具备低信噪比特性的新型攻击范式。
当前权限修改匿迹技术的核心在于重构权限变更的时空特征与操作上下文。隐蔽继承权限注入技术利用文件系统继承机制的合法特性,将攻击痕迹分散到目录层级结构中,通过父目录ACL的微调引发子对象权限的级联变更;时间戳同步权限篡改通过精确的时间窗口控制,使恶意操作融入系统维护周期;最小权限提升路径构造则采用分形权限跃迁策略,通过多个低风险操作的组合达成最终攻击目的。三类技术的共性体现在:① 操作过程与系统正常行为的深度耦合,利用合法管理流程作为掩护;② 攻击效果的延时性与间接性,避免即时触发检测规则;③ 权限变更粒度的微量化,单个操作符合最小权限原则的合规特征。这些特性使得基于规则匹配或单事件分析的防御机制难以有效识别攻击链。
匿迹技术的演进导致传统日志审计与文件监控方案的检出率大幅下降,防御方需采用权限变更图谱分析、时序行为建模等技术,结合用户实体行为分析(UEBA)识别异常权限操作链,并强化对继承权限和隐式访问路径的监控能力。
| 效应类型 | 是否存在 |
|---|---|
| 特征伪装 | ✅ |
| 行为透明 | ✅ |
| 数据遮蔽 | ✅ |
| 时空释痕 | ✅ |
攻击者通过模拟合法权限管理操作实现特征隐匿。例如将恶意ACL修改指令嵌入系统管理工具的正常使用流程(如使用powershell执行合规的ACL调整脚本),或伪造符合业务需求的权限变更理由(如伪装成数据迁移所需的临时权限开放)。这使得权限变更行为在日志中呈现为常规管理操作特征。
通过权限操作链的时序解耦与上下文伪装,使单个权限变更事件在行为层面具备合理性。例如在系统更新期间同步修改权限,利用管理员账户的正常活动掩盖恶意操作,导致防御方难以从海量合法事件中识别异常行为序列。
采用日志混淆技术对抗审计分析,包括使用原始API调用绕过高层工具日志记录、加密权限变更操作指令,或修改安全日志的ACL设置阻止审计数据采集。部分高级攻击者甚至直接操作文件系统元数据,清除特定权限变更记录。
通过低频分布式权限调整策略,将集中式权限提升操作拆解为跨越数周的多节点微调。例如在不同服务器上每月执行1次低风险权限变更,使得全局攻击链的特征浓度被稀释在运维活动的时空维度中。
| ID | Mitigation | Description |
|---|---|---|
| M1026 | Privileged Account Management |
Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality. |
| M1022 | Restrict File and Directory Permissions |
Applying more restrictive permissions to files and directories could prevent adversaries from modifying their access control lists. Additionally, ensure that user settings regarding local and remote symbolic links are properly set or disabled where unneeded.[1] |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0026 | Active Directory | Active Directory Object Modification |
Monitor for changes made to ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
| DS0017 | Command | Command Execution |
Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
| DS0022 | File | File Metadata |
Monitor and investigate attempts to modify ACLs and file/directory ownership. |
| DS0009 | Process | Process Creation |
Monitor for newly executed processes that may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.[2][3] |