Detectionmediumtest
Chmod Targeting Sensitive Directories
Detects chmod targeting files in sensitive directory paths on Linux systems. Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Christopher Peacock, SCYTHECreated Fri Jun 03Updated Wed Mar 186419afd1-3742-47a5-a7e6-b50386cd15f8linux
Log Source
LinuxProcess Creation
ProductLinux← raw: linux
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic7 selectors
detection:
selection:
Image|endswith: '/chmod'
CommandLine|contains:
- '/tmp/'
- '/.Library/'
- '/etc/'
- '/opt/'
filter_main_update_shells:
CommandLine|contains: 'chmod --reference=/etc/shells'
ParentCommandLine|endswith: '/update-shells'
filter_main_postinst:
CommandLine|contains: '/etc/'
ParentCommandLine|contains|all:
- '/var/lib/dpkg/info/'
- '.postinst configure'
filter_main_apt_key:
CommandLine|startswith: 'chmod 700 /tmp/apt-key-gpghome.'
filter_main_mkinitramfs:
CommandLine|startswith: 'chmod 755 /var/tmp/mkinitramfs'
filter_main_landscape:
CommandLine: 'chmod 0775 /etc/landscape/'
filter_main_ubuntu_apparmor:
CommandLine: 'chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu'
condition: selection and not 1 of filter_main_*False Positives
Some false positives are to be expected. Apply additional filters as needed before pushing to production.
MITRE ATT&CK
Tactics
Other
attack.t1222.002
Rule Metadata
Rule ID
6419afd1-3742-47a5-a7e6-b50386cd15f8
Status
test
Level
medium
Type
Detection
Created
Fri Jun 03
Modified
Wed Mar 18
Author
Path
rules/linux/process_creation/proc_creation_lnx_chmod_targeting_sensitive_directories.yml
Raw Tags
attack.defense-evasionattack.t1222.002