Skip to content

Hide Navigation Hide TOC

Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448)

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

  • Remove unnecessary write permissions on sensitive files and directories.
  • Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

  • Disable anonymous access to shared folders.
  • Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access.

On Linux, apply: chmod 750 /etc/sensitive.conf chown root:admin /etc/sensitive.conf

File Integrity Monitoring (FIM):

  • Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

  • Enable auditing to track permission changes or unauthorized access attempts.
  • Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

  • Configure permissions to prevent unauthorized writes to directories like C:\ProgramData\Microsoft\Windows\Start Menu.

Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.

  • On Windows, use icacls to modify permissions: icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F
  • On Linux, monitor permissions using tools like lsattr or auditd.
Cluster A Galaxy A Cluster B Galaxy B Level
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action AppDomainManager - T1574.014 (356662f7-e315-4759-86c9-6214e2a50ff8) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Login Hook - T1037.002 (43ba2b05-cf72-4b6c-8243-03a4aba41ee0) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Runtime Data Manipulation - T1565.003 (32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Network Logon Script - T1037.003 (c63a348e-ffc2-486a-b9d9-d7f11ec54d99) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action SIP and Trust Provider Hijacking - T1553.003 (543fceb5-cb92-40cb-aacf-6913d4db58bc) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11) Attack Pattern 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern AppDomainManager - T1574.014 (356662f7-e315-4759-86c9-6214e2a50ff8) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Login Hook - T1037.002 (43ba2b05-cf72-4b6c-8243-03a4aba41ee0) Attack Pattern 2
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern 2
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211) Attack Pattern 2
Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern Runtime Data Manipulation - T1565.003 (32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490) Attack Pattern 2
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Network Logon Script - T1037.003 (c63a348e-ffc2-486a-b9d9-d7f11ec54d99) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Indicator Blocking - T1562.006 (74d2a63f-3c7b-4852-92da-02d8fbab16da) Attack Pattern 2
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36) Attack Pattern 2
PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern SIP and Trust Provider Hijacking - T1553.003 (543fceb5-cb92-40cb-aacf-6913d4db58bc) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a) Attack Pattern 2
Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292) Attack Pattern Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern 2
Windows File and Directory Permissions Modification - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 2
Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 2
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2