
Summary
This threat detection rule, authored by Elastic, is designed to identify unauthorized modification of file permissions in commonly writable directories (such as /tmp and /var/tmp) by non-root users. These directories are often exploited by attackers to drop and execute malicious payloads. The rule leverages the KQL (Kibana Query Language) to detect instances where processes like 'chattr', 'chgrp', 'chmod', or 'chown' are used in these writable locations, while excluding benign processes typically associated with system maintenance or updates. The rule targets decreases in security posture and is positioned as a low-risk detection method with a risk score of 21. False positives may arise from legitimate applications or system processes that change file permissions, and these can be managed by configuring specific exclusions in the alerting logic. Overall, the creation of alerts for potentially malicious file permission modifications helps maintain robust system integrity against defense evasion techniques, particularly in environments where non-root users may pose security risks. The rule underscores the importance of monitoring writable directories as part of a broader security strategy to counteract potential adversarial impacts in Linux environments.
Categories
- Endpoint
- Linux
Data Sources
- File
- Process
- Container
ATT&CK Techniques
- T1222
Created: 2020-04-21