Detectionmediumtest

Chmod Suspicious Directory

Detects chmod targeting files in abnormal directory paths.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Christopher Peacock, SCYTHECreated Fri Jun 036419afd1-3742-47a5-a7e6-b50386cd15f8linux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '/chmod'
        CommandLine|contains:
            - '/tmp/'
            - '/.Library/'
            - '/etc/'
            - '/opt/'
    condition: selection

False Positives

Admin changing file permissions.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Other

attack.t1222.002

Rule Metadata

Rule ID

6419afd1-3742-47a5-a7e6-b50386cd15f8

Status

test

Level

medium

Type

Detection

Created

Fri Jun 03

Author

Christopher Peacock, SCYTHE

Path

rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml

Raw Tags

attack.defense-evasionattack.t1222.002

View on GitHub