Adversaries may use chmod to modify file permissions in abnormal directories to escalate privileges or maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts and unauthorized access to sensitive system files.
Detection Rule
title: Chmod Suspicious Directory
id: 6419afd1-3742-47a5-a7e6-b50386cd15f8
status: test
description: Detects chmod targeting files in abnormal directory paths.
references:
- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
date: 2022-06-03
tags:
- attack.defense-evasion
- attack.t1222.002
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/chmod'
CommandLine|contains:
- '/tmp/'
- '/.Library/'
- '/etc/'
- '/opt/'
condition: selection
falsepositives:
- Admin changing file permissions.
level: medium
imProcessCreate
| where TargetProcessName endswith "/chmod" and (TargetProcessCommandLine contains "/tmp/" or TargetProcessCommandLine contains "/.Library/" or TargetProcessCommandLine contains "/etc/" or TargetProcessCommandLine contains "/opt/")Scenario: System Update via Package Manager
Description: A system update process uses chmod to adjust permissions on directories like /usr/local/bin or /etc as part of installing or updating packages.
Filter/Exclusion: Check for processes associated with package managers like apt, yum, or dnf, or filter by PIDs of known system update services.
Scenario: Scheduled Job Configuration
Description: A cron job or systemd timer modifies directory permissions as part of a routine maintenance task, such as log rotation or temporary file cleanup.
Filter/Exclusion: Filter by process names like cron, systemd, or logrotate, or exclude paths commonly used by scheduled jobs (e.g., /var/log, /tmp).
Scenario: Admin Task – User Home Directory Setup
Description: An administrator uses chmod to set appropriate permissions on user home directories (e.g., /home/user) during user provisioning.
Filter/Exclusion: Exclude paths that match standard user home directories (e.g., /home/*) or filter by user accounts with administrative privileges.
Scenario: Security Tool Configuration
Description: A security tool like SELinux, AppArmor, or Auditd may temporarily modify directory permissions during policy enforcement or audit logging.
Filter/Exclusion: Filter by process names associated with security tools (e.g., auditd, setenforce, apparmor_parser), or exclude paths used by these tools.
Scenario: Development Environment Setup
Description: A developer uses chmod to adjust permissions on a project directory (e.g., /opt/myapp) to allow team members to access shared resources.
Filter/Exclusion: Exclude paths that match known development directories (e.g., /opt, /var/www, `/