The detection rule titled 'Modify File Attributes' is designed to identify the execution of the 'chattr' command on Linux file systems. The purpose of the 'chattr' command is to change file attributes, which is a technique often employed by threat actors to manipulate the permissions and processes associated with files. This rule specifically targets activities associated with TeamTNT, a known threat actor, as part of their tactics focused on defense evasion. The rule utilizes Splunk's query language to extract and analyze endpoint data related to UNIX systems. It captures events related to the execution of 'chattr', grouping them by time and host to facilitate monitoring and detection of unauthorized modifications to file attributes. The rule supports defense mechanisms by alerting on potentially malicious actions that align with the techniques described in the MITRE ATT&CK framework, particularly the modification of file and directory permissions on Linux systems.