Restrict File and Directory Permissions

Making PowerShell profiles immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.

Use file system access controls to protect folders such as C:\Windows\System32.

Use file system access controls to protect folders such as C:\Windows\System32.

Set group policies to restrict file permissions to the ~/launchagents folder.^[1]

Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.

Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders.

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.

Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\Windows\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.

Install .NET applications and related software in write-protected locations. Set directory access controls to prevent file writes to the search paths for .NET applications, both in the folders where applications are run from and the standard resources folders.

Restrict write access to logon scripts to specific administrators.

Restrict write access to logon scripts to specific administrators.

Limit privileges of user accounts so only authorized users can edit the rc.common file.

Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered.

Applying strict permissions to directories where shortcuts are stored, such as the startup folder, can prevent unauthorized modifications.

Restrict write access to XDG autostart entries to only select privileged users.

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with security services.

Ensure proper process and file permissions are in place to prevent adversaries from disabling or interfering with logging or deleting or modifying .evtx logging files. Ensure .evtx files, which are located at C:\Windows\system32\Winevt\Logs^[3], have the proper file permissions for limited, legitimate access and audit policies for detection.

Ensure proper process and file permissions are in place to prevent adversaries from disabling or modifying firewall settings.

Ensure event tracers/forwarders ^[4], firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls.

Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk.

Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code.

Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.

Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.

Restrict file shares to specific directories with access only to necessary users.

Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Additionally, on Cisco devices, set the nonexportable flag during RSA key pair generation.^[6]

The sudoers file should be strictly edited such that passwords are always required and that users can't spawn risky processes as users with higher privilege.

When using an MDM, ensure the permissions granted are specific to the requirements of the binary. Full Disk Access should be restricted to only necessary binaries in alignment with policy.

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities.

Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.

Restrict access to the authorized_keys file.

Restrict read/write access to systemd .timer unit files to only select privileged users who have a legitimate need to manage system services.