M1022: Restrict File and Directory Permissions
Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.
Enforce Least Privilege Permissions:
- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.
Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.
Harden File Shares:
- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.
Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.
On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`
File Integrity Monitoring (FIM):
- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.
Audit File System Access:
- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.
Restrict Startup Directories:
- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.
Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.
- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.
Analyst context for executives and security teams
Restricting file and directory permissions is a basic control with high defensive leverage: it limits who or what can read, write, or execute sensitive files, shared content, startup locations, scripts, and system directories. For leaders, the value is not that permissions exist, but whether they are governed, audited, and resistant to unauthorized change in the places attackers commonly abuse for persistence, stealth, lateral movement, exfiltration support, and impact.
Executive priority
Treat this as a resilience and audit-evidence control, not only a system hardening task. The related ATT&CK context connects weak permissions to masquerading, startup and logon persistence, scheduled execution, shared-content abuse, account persistence through SSH keys, permission tampering, indicator removal, and service disruption. Priority should go to business-critical systems, shared folders, administrative scripts, startup directories, sensitive configuration files, SSH authorization files, and directories containing executables or services. Executives should ask whether ownership, least privilege, monitoring, and exception handling are consistently enforced across these locations.
Technical view
SOC, detection engineering, and IR teams should validate whether file-system ACLs, ownership, group membership, and write/execute permissions are known-good for critical paths and whether changes are logged. The mitigation text specifically points to least privilege permissions, hardened file shares, file integrity monitoring, auditing of permission changes or unauthorized access attempts, and restrictions on startup directories. Relationship context makes this especially relevant to detection and response for masquerading, renamed utilities, legitimate-looking file placement, boot/logon scripts, scheduled jobs, SSH authorized_keys changes, and adversary modification of permissions.
Likely telemetry
- File and directory permission change events
- File ownership and group membership changes
- File integrity monitoring alerts for critical files, startup paths, scripts, and executables
- Windows security and Event Viewer records related to file access or ACL changes
- Linux auditd records for permission, ownership, and access events
Detection direction
- Baseline expected permissions for sensitive files, system directories, startup locations, shared folders, scripts, and service-related paths, then alert on unauthorized drift.
- Prioritize monitoring of writable locations that can influence execution or persistence, including startup directories, logon scripts, scheduled job definitions, systemd timers, RC scripts, and SSH authorized_keys files where present.
- Tune detections to distinguish approved administrative maintenance from unusual permission broadening, ownership transfer, inheritance changes, or new write access for broad groups.
- Correlate permission changes with related behaviors such as masqueraded file placement, renamed utilities, shared-content modification, persistence cleanup, or service disruption.
- Validate that file integrity monitoring and audit logging cover both content changes and permission/ownership changes; content-only monitoring can miss material control failures.
Mitigation priorities
- Start with least privilege: remove unnecessary write permissions from sensitive files, directories, startup paths, shared folders, and system executable locations.
- Use file ownership and groups to map access to defined roles rather than broad user populations or anonymous access.
- Harden shared folders by disabling anonymous access and enforcing file-system permissions, not only share-level convenience settings.
- Restrict write access to boot, logon, startup, scheduling, service, and configuration locations that can influence execution or persistence.
- Enable auditing and file integrity monitoring for critical paths so permission drift and unauthorized access attempts produce reviewable evidence.
Analyst notes and limits
This mitigation is broad but operationally important because many related techniques depend on placing, modifying, hiding, or protecting files in locations defenders and users trust. Its effectiveness depends heavily on local asset criticality, operating system conventions, identity/group design, administrative workflows, and logging configuration. For Glexia-style assessments, this control should be tested through configuration review, telemetry validation, and incident-response evidence readiness rather than assumed from policy alone.
The ATT&CK object does not provide an official detection section and does not specify platforms for the mitigation itself. Platform references above are derived from the official description examples and supplied relationship context. This take does not assert active exploitation, attribution, guaranteed prevention, or existing detection coverage in any environment.
Restrict File and Directory Permissions
Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.
Enforce Least Privilege Permissions:
- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.
Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.
Harden File Shares:
- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.
Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.
On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`
File Integrity Monitoring (FIM):
- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.
Audit File System Access:
- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.
Restrict Startup Directories:
- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.
Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.
- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Use file system access controls to protect folders such as `C:\Windows\System32`. |
| Enterprise | T1565.001 | Stored Data Manipulation Sub-technique | Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. |
| Enterprise | T1037.004 | RC Scripts Sub-technique | Limit privileges of user accounts so only authorized users can edit the `rc.common` file. |
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists. |
| Enterprise | T1037.005 | Startup Items Sub-technique | Since StartupItems are deprecated, preventing all users from writing to the |
| Enterprise | T1053.006 | Systemd Timers Sub-technique | Restrict read/write access to systemd |
| Enterprise | T1218.002 | Control Panel Sub-technique | Restrict storage and execution of Control Panel items to protected directories, such as |
| Enterprise | T1547.003 | Time Providers Sub-technique | Consider using Group Policy to configure and block additions/modifications to W32Time DLLs. CitationMicrosoft W32Time May 2017 |
| Enterprise | T1574.004 | Dylib Hijacking Sub-technique | Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders. |
| Enterprise | T1222.001 | Windows Permissions Sub-technique | Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists. |
| Enterprise | T1037.003 | Network Logon Script Sub-technique | Restrict write access to logon scripts to specific administrators. |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
| Enterprise | T1098.004 | SSH Authorized Keys Sub-technique | Restrict access to the |
| Enterprise | T1565.003 | Runtime Data Manipulation Sub-technique | Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. |
| Enterprise | T1552.004 | Private Keys Sub-technique | Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the `nonexportable` flag during RSA key pair generation.Citationcisco_deploy_rsa_keys |
| Enterprise | T1055.009 | Proc Memory Sub-technique | Restrict the permissions on sensitive files such as |
| Enterprise | T1685 | Disable or Modify Tools | Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services. |
| Enterprise | T1686 | Disable or Modify System Firewall | Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings. |
| Enterprise | T1574.007 | Path Interception by PATH Environment Variable Sub-technique | Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
| Enterprise | T1547.013 | XDG Autostart Entries Sub-technique | Restrict write access to XDG autostart entries to only select privileged users. |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. CitationInsiderThreat NTFS EA Oct 2017 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | Set group policies to restrict file permissions to the |
| Enterprise | T1574.008 | Path Interception by Search Order Hijacking Sub-technique | Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
| Enterprise | T1546.013 | PowerShell Profile Sub-technique | Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence. |
| Enterprise | T1070 | Indicator Removal | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| Enterprise | T1098 | Account Manipulation | Restrict access to potentially sensitive files that deal with authentication and/or authorization. |
| Enterprise | T1574 | Hijack Execution Flow | Install software in write-protected locations. Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard library folders. |
| Enterprise | T1036 | Masquerading | Use file system access controls to protect folders such as C:\\Windows\\System32. |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Applying strict permissions to directories where shortcuts are stored, such as the startup folder, can prevent unauthorized modifications. |
| Enterprise | T1222 | File and Directory Permissions Modification | Applying more restrictive permissions to files and directories could prevent adversaries from modifying their access control lists. Additionally, ensure that user settings regarding local and remote symbolic links are properly set or disabled where unneeded.Citationcreate_sym_links |
| Enterprise | T1053 | Scheduled Task/Job | Restrict access by setting directory and file permissions that are not specific to users or privileged accounts. |
| Enterprise | T1563.001 | SSH Hijacking Sub-technique | Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. |
| Enterprise | T1070.008 | Clear Mailbox Data Sub-technique | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| Enterprise | T1548.003 | Sudo and Sudo Caching Sub-technique | The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege. |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| Enterprise | T1552 | Unsecured Credentials | Restrict file shares to specific directories with access only to necessary users. |
| Enterprise | T1543.002 | Systemd Service Sub-technique | Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. |
| Enterprise | T1070.003 | Clear Command History Sub-technique | Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their |
| Enterprise | T1543 | Create or Modify System Process | Restrict read/write access to system-level process files to only select privileged users who have a legitimate need to manage system services. |
| Enterprise | T1037.002 | Login Hook Sub-technique | Restrict write access to logon scripts to specific administrators. |
| Enterprise | T1685.006 | Clear Linux or Mac System Logs Sub-technique | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| Enterprise | T1556 | Modify Authentication Process | Restrict write access to the `/Library/Security/SecurityAgentPlugins` directory. |
| Enterprise | T1548 | Abuse Elevation Control Mechanism | The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege. |
| Enterprise | T1546.004 | Unix Shell Configuration Modification Sub-technique | Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence. |
| Enterprise | T1530 | Data from Cloud Storage | Use access control lists on storage systems and objects. |
| Enterprise | T1574.014 | AppDomainManager Sub-technique | Install .NET applications and related software in write-protected locations. Set directory access controls to prevent file writes to the search paths for .NET applications, both in the folders where applications are run from and the standard resources folders. |
| Enterprise | T1574.009 | Path Interception by Unquoted Path Sub-technique | Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory |
| Enterprise | T1565 | Data Manipulation | Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. |
| Enterprise | T1569 | System Services | Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level. |
| Enterprise | T1569.002 | Service Execution Sub-technique | Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level. |
| Enterprise | T1037 | Boot or Logon Initialization Scripts | Restrict write access to logon scripts to specific administrators. |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. |
| Enterprise | T1489 | Service Stop | Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | Use access control lists on cloud storage systems and objects. |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | Use file system access controls to protect folders such as `C:\Windows\System32`. |
| Enterprise | T1080 | Taint Shared Content | Protect shared folders by minimizing users who have write access. |
| Enterprise | T1553.003 | SIP and Trust Provider Hijacking Sub-technique | Restrict storage and execution of SIP DLLs to protected directories, such as C:\\Windows, rather than user directories. |
| Enterprise | T1685.001 | Disable or Modify Windows Event Log Sub-technique | Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Restrict file shares to specific directories with access only to necessary users. |
| Enterprise | T1548.006 | TCC Manipulation Sub-technique | When using an MDM, ensure the permissions granted are specific to the requirements of the binary. Full Disk Access should be restricted to only necessary binaries in alignment with policy. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 2f34d0d37fd5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1022Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.