This detection rule, authored by Elastic, focuses on identifying modifications to file permissions in key system binary paths on Linux operating systems. These paths are critical because adversaries may try to conceal their malicious payloads by altering permissions to allow dangerous scripts to execute freely upon command. The rule specifically triggers on the execution of commands `chmod` or `chown`, filtering through system logs to monitor unusual changes in permission settings that could indicate malicious activity. It effectively captures a range of specific permission changes, like `4755`, `755`, and `777` while excluding legitimate administrative activities or benign script executions. To set up this rule, integration with Elastic Defend is required through Fleet, ensuring that relevant events from hosts are monitored and sent for analysis within the Elastic Security application. The rule uses EQL (Event Query Language) and is structured to sift through events starting from nine months ago, making it applicable for recent analyses. Should the rule trigger, investigation steps are detailed, such as reviewing the parent process information and correlating other security logs for potential threats. The rule also considers false positives related to normal system updates and maintenance tasks, ensuring a balance between security vigilance and operational noise.