
Summary
The detection rule identifies unauthorized or suspicious usage of the `chmod` command on Linux systems, particularly focusing on the alteration of file permissions that could signify malicious intent. Specifically, it monitors for commands that change file permissions to settings that grant excessive access, such as `777` (full access to all users) or `755` (read and execute permissions for others). The rule leverages the Linux Audit daemon (auditd) to collect relevant process execution data, providing insights into the potential risk associated with unauthorized permission changes. By actively tracking these modifications and correlating them with typical use cases, security teams can promptly react to possible security breaches, thereby preventing privilege escalations, data tampering, or other harmful activities from occurring on Linux hosts.
Categories
- Linux
- Endpoint
Data Sources
- Pod
- File
- Process
- Command
ATT&CK Techniques
- T1222.002
- T1222
Created: 2025-01-27