Detectionlowtest

File or Folder Permissions Change

Detects file and folder permission changes.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Jakob Weinzettl, oscd.communityCreated Mon Sep 23Updated Sat Nov 2774c01ace-0152-4094-8ae2-6fd776dd43e5linux

Log Source

Linuxauditd

ProductLinux← raw: linux

Serviceauditd← raw: auditd

Detection Logic

detection:
    selection:
        type: 'EXECVE'
        a0|contains:
            - 'chmod'
            - 'chown'
    condition: selection

False Positives

User interacting with files permissions (normal/daily behaviour).

References

MITRE ATT&CK

Tactics

Other

attack.t1222.002

Rule Metadata

Rule ID

74c01ace-0152-4094-8ae2-6fd776dd43e5

Status

test

Level

low

Type

Detection

Created

Mon Sep 23

Modified

Sat Nov 27

Author

Path

rules/linux/auditd/execve/lnx_auditd_file_or_folder_permissions.yml

Raw Tags

attack.defense-evasionattack.t1222.002