Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0299: Multi-Platform File and Directory Permissions Modification Detection Strategy

This detection strategy is relevant because permission changes to files and directories can weaken access controls and help an adversary reach protected da...

EnterpriseDET0299Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is relevant because permission changes to files and directories can weaken access controls and help an adversary reach protected data or impair defenses. Although the ATT&CK detection strategy object itself has no official description or detection text, its relationship to T1222 confirms the defensive focus: monitoring for suspicious file and directory permission or attribute modifications across the related platforms ESXi, Linux, macOS, and Windows.

Executive priority

Treat this as a control-validation topic for operational resilience and audit readiness: leaders should ask whether security teams can prove visibility into permission changes on critical systems, sensitive data paths, administrative tooling, and defense-related files. The business risk is not the permission change alone, but the possibility that unauthorized or abnormal changes undermine access control assumptions, complicate incident response, or create gaps in compliance evidence.

Technical view

SOC and detection engineering teams should validate coverage against ATT&CK technique T1222, File and Directory Permissions Modification, under the defense-impairment tactic. Because DET0299 provides no official analytic logic, teams should build local detections around high-risk permission or attribute changes, especially where the actor, target path, timing, and resulting access level are unusual. Detection quality will depend on platform-specific audit sources and the ability to distinguish normal administration, software deployment, backup activity, and policy enforcement from suspicious changes.

Likely telemetry

  • File and directory permission or attribute change events
  • Operating system audit logs for ACL or mode changes
  • Administrative command execution logs related to permission modification
  • Endpoint detection and response file activity telemetry
  • Change-management or configuration-management records for expected permission updates

Detection direction

  • Map DET0299 to T1222 coverage and document which related platforms are in scope: ESXi, Linux, macOS, and Windows.
  • Prioritize detection on permission changes affecting sensitive files, protected directories, security tools, logs, credentials, application data, and system configuration paths.
  • Correlate the permission change with the initiating user, process, parent process, host role, and recent administrative activity.
  • Tune for authorized maintenance, deployment automation, backup operations, and configuration management to reduce false positives.
  • Look for abnormal expansion of access, removal of restrictions, ownership-like changes, or repeated changes across multiple systems.

Mitigation priorities

  • Define and enforce baseline permissions for critical files and directories.
  • Limit who can modify permissions on sensitive paths through least privilege and administrative role control.
  • Use change control or configuration management to make expected permission changes attributable and reviewable.
  • Enable platform-appropriate auditing for permission and attribute changes on high-value assets.
  • Regularly review exceptions, inherited permissions, and service account privileges that can modify protected paths.
Analyst notes and limits

The ATT&CK object supplied is a detection strategy with no official description or detection content. The strongest supported context comes from its explicit relationship to T1222, which describes adversaries modifying file or directory permissions or attributes to evade ACLs and access protected files. Local implementation should therefore be driven by the organization’s platforms, critical paths, audit policy, and normal administrative patterns.

This take is constrained by sparse ATT&CK fields: platforms and tactics are not specified on DET0299 itself, and no official detection logic is provided. Platform references come only from the related T1222 technique. The content should be treated as guidance for coverage validation, not evidence of current exploitation, attribution, or guaranteed detection capability.

Official MITRE ATT&CK definition

Multi-Platform File and Directory Permissions Modification Detection Strategy

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1222 File and Directory Permissions Modification This object detects File and Directory Permissions Modification.
Relationship explorer

All related ATT&CK context

detects · Technique T1222: File and Directory Permissions Modification Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c1a143928cd21eb3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c1a143928cd2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0299
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use