Skip to content

Hide Navigation Hide TOC

Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448)

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

  • Remove unnecessary write permissions on sensitive files and directories.
  • Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

  • Disable anonymous access to shared folders.
  • Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access.

On Linux, apply: chmod 750 /etc/sensitive.conf chown root:admin /etc/sensitive.conf

File Integrity Monitoring (FIM):

  • Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

  • Enable auditing to track permission changes or unauthorized access attempts.
  • Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

  • Configure permissions to prevent unauthorized writes to directories like C:\ProgramData\Microsoft\Windows\Start Menu.

Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.

  • On Windows, use icacls to modify permissions: icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F
  • On Linux, monitor permissions using tools like lsattr or auditd.
Cluster A Galaxy A Cluster B Galaxy B Level
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490) Attack Pattern 1
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Linux and Mac Permissions - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern 1
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern 1
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 1
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action AppDomainManager - T1574.014 (356662f7-e315-4759-86c9-6214e2a50ff8) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 1
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Network Logon Script - T1037.003 (c63a348e-ffc2-486a-b9d9-d7f11ec54d99) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Runtime Data Manipulation - T1565.003 (32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Windows Permissions - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern 1
Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Login Hook - T1037.002 (43ba2b05-cf72-4b6c-8243-03a4aba41ee0) Attack Pattern 1
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Windows Host Firewall - T1686.003 (291ede6c-1473-454c-b614-5ac5ea63c987) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action SIP and Trust Provider Hijacking - T1553.003 (543fceb5-cb92-40cb-aacf-6913d4db58bc) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 1
Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Clear Linux or Mac System Logs - T1685.006 (5e29d64d-2b14-4f92-875e-4c9c498e213c) Attack Pattern Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 1
Restrict File and Directory Permissions - M1022 (987988f0-cf86-4680-a875-2f6456ab2448) Course of Action Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 1
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Clear Mailbox Data - T1070.008 (438c967d-3996-4870-bfc2-3954752a1927) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4) Attack Pattern 2
Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Systemd Timers - T1053.006 (a542bac9-7bc1-4da7-9a09-96f69e23cc21) Attack Pattern 2
Startup Items - T1037.005 (c0dfe7b0-b873-4618-9ff8-53e31f70907f) Attack Pattern Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern 2
Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern Linux and Mac Permissions - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345) Attack Pattern 2
XDG Autostart Entries - T1547.013 (e0232cb0-ded5-4c2e-9dc7-2893142a5c11) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
TCC Manipulation - T1548.006 (e8a0a025-3601-4755-abfb-8d08283329fb) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern 2
Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern AppDomainManager - T1574.014 (356662f7-e315-4759-86c9-6214e2a50ff8) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Unix Shell Configuration Modification - T1546.004 (b63a34e8-0a61-4c97-a23b-bf8a2ed812e2) Attack Pattern 2
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 2
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 2
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern PowerShell Profile - T1546.013 (0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Network Logon Script - T1037.003 (c63a348e-ffc2-486a-b9d9-d7f11ec54d99) Attack Pattern 2
Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931) Attack Pattern Runtime Data Manipulation - T1565.003 (32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490) Attack Pattern 2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern Windows Permissions - T1222.001 (34e793de-0274-4982-9c1a-246ed1c19dee) Attack Pattern 2
Time Providers - T1547.003 (61afc315-860c-4364-825d-0d62b2e91edc) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Control Panel - T1218.002 (4ff5d6a8-c062-4c68-a778-36fc5edd564f) Attack Pattern 2
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Login Hook - T1037.002 (43ba2b05-cf72-4b6c-8243-03a4aba41ee0) Attack Pattern 2
Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern Windows Host Firewall - T1686.003 (291ede6c-1473-454c-b614-5ac5ea63c987) Attack Pattern 2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern SIP and Trust Provider Hijacking - T1553.003 (543fceb5-cb92-40cb-aacf-6913d4db58bc) Attack Pattern 2
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 2
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 2
Clear Linux or Mac System Logs - T1685.006 (5e29d64d-2b14-4f92-875e-4c9c498e213c) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 2