This detection rule identifies instances where files have been modified to executable status via `chmod`, a common Unix command used for changing file permissions. The rule specifically triggers when records are found indicating such permission modifications in environments running on Linux or macOS platforms. The detection is achieved through a SQL-like query that searches the process event logs collected over the last two hours from the CrowdStrike data repository. If the command `chmod` is found within the logs, particularly with modifications that indicate executable permissions (like adding user permission with the execute flag), the rule is activated. Threat actors associated with this behavior include notable advanced persistent threats (APTs) such as APT41 and groups like UNC5221, indicating that these types of file manipulations are typically characteristic of sophisticated cyber operations. Additionally, the detection ties into several MITRE ATT&CK techniques related to execution and privilege escalation which further underline the malicious intent behind modifying file permissions. Overall, this rule is designed to monitor and alert on potentially malicious changes to file permissions that could lead to unauthorized code execution.