
Summary
This detection rule is designed to identify potentially malicious activities that involve changing file privileges using the `chown` and `chmod` commands on a Linux system. It specifically looks for instances where files are being set with the user ID (setuid) or group ID (setgid) bits, allowing users to execute files with elevated permissions. The rule flags any command lines containing `chown root` or permission change commands like `chmod u+s` and `chmod g+s`, indicating an attempt to grant elevated rights to files. Given the serious implications of improper use of these commands, the rule helps in monitoring potential persistence techniques utilized by threat actors. While the chances of legitimate administrative activities triggering this rule are noted, it remains crucial to monitor these activities as part of a comprehensive security posture. This rule is useful in environments where file permission integrity is essential, and changes should be tightly controlled and audited.
Categories
- Linux
- Endpoint
Data Sources
- Process
ATT&CK Techniques
- T1548.001
- T1548
Created: 2020-06-16