T1222.002

Linux and Mac File and Directory Permissions Modification

Adversaries modify file or directory permissions on Linux and macOS systems using chmod, chown, and chattr to evade access controls and enable further malicious activity. Common patterns include chmod +x or chmod 777 on payloads dropped in world-writable directories (/tmp, /dev/shm, /var/tmp), chattr +i to make persistence mechanisms immutable and undeletable, setuid bit setting (chmod 4755/+s) for privilege escalation, and chown root to escalate file ownership. Threat actors including TeamTNT, Rocke, Kinsing, APT32, and Black Basta have all leveraged these commands to prepare and protect malicious binaries. This technique frequently precedes or accompanies persistence (T1546.004 shell config modification, T1574 hijack execution flow) and execution techniques.

Microsoft Sentinel / Defender

kusto

let SuspiciousTargetPaths = dynamic(["/tmp/", "/dev/shm/", "/var/tmp/", "/run/", "/etc/cron", "/etc/init", "/etc/systemd/", ".bashrc", ".bash_profile", ".bash_logout", ".profile", ".ssh/", "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/usr/local/bin/", "/usr/bin/"]);
let SuspiciousChmodModes = dynamic(["777", "4755", "4777", "6755", "6777", "7777", "+s", "a+x", "a+w", "o+w", "o+x"]);
let SuspiciousParents = dynamic(["python", "python3", "perl", "ruby", "php", "node", "nginx", "apache2", "httpd", "lighttpd", "curl", "wget", "sh", "bash", "dash"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where OSPlatform in~ ("Linux", "macOS")
| where FileName in~ ("chmod", "chown", "chattr", "setfacl")
| extend ChmodSuid = ProcessCommandLine has_any (["4755", "4777", "6755", "6777", "+s"])
| extend ChmodWorldWritable = ProcessCommandLine has_any (["777", "a+w", "o+w", "0777"])
| extend ChmodExecutable = ProcessCommandLine has_any (["+x", "755", "a+x", "o+x"]) and ProcessCommandLine has_any(SuspiciousTargetPaths)
| extend ChattrImmutable = FileName =~ "chattr" and ProcessCommandLine has "+i"
| extend ChattrUnlock = FileName =~ "chattr" and ProcessCommandLine has "-i"
| extend ChownToRoot = FileName =~ "chown" and ProcessCommandLine has_any (["root:", ":root", " 0 ", " 0:", ":0 ", "root "])
| extend SuspiciousTarget = ProcessCommandLine has_any (SuspiciousTargetPaths)
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend RecursiveChange = ProcessCommandLine has_any (["-R ", "--recursive"])
| where ChmodSuid or ChmodWorldWritable or ChmodExecutable or ChattrImmutable or ChattrUnlock or ChownToRoot or (SuspiciousTarget and SuspiciousParent)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         ChmodSuid, ChmodWorldWritable, ChmodExecutable,
         ChattrImmutable, ChattrUnlock, ChownToRoot,
         SuspiciousTarget, SuspiciousParent, RecursiveChange
| sort by Timestamp desc

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (Linux/macOS agent)

Required Tables

DeviceProcessEvents

False Positives

Software package managers (apt, yum, dnf, brew) applying permissions during installation or upgrade
CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) making scripts executable as part of build steps
System administrators using chmod +x on deployment scripts or configuration files
Container entrypoint scripts that set file permissions during container initialization
Backup and restore operations using chown to restore original file ownership
Developer workstations where users frequently adjust file permissions for local development

Splunk

spl

((index=linux OR index=main) sourcetype="linux:audit" type=EXECVE
  (a0="chmod" OR a0="chown" OR a0="chattr" OR a0="setfacl"
   OR (a0="/bin/chmod" OR a0="/usr/bin/chmod"
       OR a0="/bin/chown" OR a0="/usr/bin/chown"
       OR a0="/usr/bin/chattr" OR a0="/sbin/chattr")))
OR
((index=linux OR index=main) sourcetype="syslog"
  ("chmod" OR "chown" OR "chattr")
  NOT ("man chmod" OR "--help" OR "dpkg" OR "rpm"))
| eval cmd=coalesce(a0, process)
| eval args=coalesce(mvjoin(mvfilter(match('mv_rest', "a\d+"), mv_rest), " "), cmd_args, "")
| eval full_cmdline=cmd." ".args
| eval ChmodSuid=if(match(full_cmdline, "(4755|4777|6755|6777|\+s|7777)"), 1, 0)
| eval ChmodWorldWritable=if(match(full_cmdline, "(777|a\+w|o\+w|0777)"), 1, 0)
| eval ChmodExecutable=if(match(full_cmdline, "(\+x|755|a\+x|o\+x)") AND match(full_cmdline, "(/tmp/|/dev/shm/|/var/tmp/|/run/)"), 1, 0)
| eval ChattrImmutable=if(match(cmd, "chattr") AND match(full_cmdline, "\+i"), 1, 0)
| eval ChattrUnlock=if(match(cmd, "chattr") AND match(full_cmdline, "\-i"), 1, 0)
| eval ChownToRoot=if(match(cmd, "chown") AND match(full_cmdline, "(root:|:root|\s0\s|\s0:|:0\s)"), 1, 0)
| eval SuspiciousPath=if(match(full_cmdline, "(/tmp/|/dev/shm/|/var/tmp/|/run/|/etc/cron|/etc/init|/etc/systemd|.bashrc|.bash_profile|.ssh/|/etc/passwd|/etc/shadow|/etc/sudoers)"), 1, 0)
| eval RecursiveChange=if(match(full_cmdline, "(-R |--recursive)"), 1, 0)
| eval RiskScore=ChmodSuid*4 + ChmodWorldWritable*3 + ChmodExecutable*2 + ChattrImmutable*4 + ChattrUnlock*2 + ChownToRoot*3 + SuspiciousPath*1 + RecursiveChange*1
| where RiskScore > 0
| eval user=coalesce(user, uid, auid, "unknown")
| table _time, host, user, cmd, full_cmdline, ppid, ChmodSuid, ChmodWorldWritable, ChmodExecutable, ChattrImmutable, ChattrUnlock, ChownToRoot, SuspiciousPath, RecursiveChange, RiskScore
| sort - _time

medium severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Linux auditd (EXECVE records) Linux syslog

Required Sourcetypes

linux:audit syslog

False Positives

Package managers (apt, yum, dnf) applying permissions during installation or post-install scripts
CI/CD self-hosted runners executing chmod +x on build artifacts
Ansible, Chef, Puppet, or Salt applying file permissions during configuration management runs
Container initialization scripts setting permissions on mounted volumes
Database engines (MySQL, PostgreSQL) adjusting socket or data directory permissions on startup

Elastic Security (EQL)

eql

process where host.os.type in ("linux", "macos")
  and event.type == "start"
  and process.name in ("chmod", "chown", "chattr", "setfacl")
  and (
    /* SUID/SGID bit setting — enables local privilege escalation */
    process.command_line like~ ("*4755*", "*4777*", "*6755*", "*6777*", "*+s*", "*7777*")
    or
    /* World-writable permission grants */
    process.command_line like~ ("*777*", "*a+w*", "*o+w*", "*0777*")
    or
    /* Executable bit set on files in world-writable staging directories */
    (
      process.command_line like~ ("*+x*", "*755*", "*a+x*", "*o+x*")
      and process.command_line like~ ("*/tmp/*", "*/dev/shm/*", "*/var/tmp/*", "*/run/*")
    )
    or
    /* chattr +i makes file immutable, protecting persistence mechanisms from deletion */
    (process.name == "chattr" and process.command_line like~ "*+i*")
    or
    /* chattr -i removes immutability to allow modification of protected files */
    (process.name == "chattr" and process.command_line like~ "*-i *")
    or
    /* chown root — escalates file ownership for privilege abuse */
    (process.name == "chown" and process.command_line like~ ("*root:*", "*:root*"))
    or
    /* Sensitive path modification spawned from scripting interpreter or web server */
    (
      process.command_line like~ (
        "*/tmp/*", "*/dev/shm/*", "*/etc/passwd*", "*/etc/shadow*",
        "*/etc/sudoers*", "*/.ssh/*", "*/etc/cron*", "*/etc/systemd/*",
        "*.bashrc*", "*.bash_profile*"
      )
      and process.parent.name in (
        "python", "python3", "perl", "ruby", "php", "node",
        "nginx", "apache2", "httpd", "lighttpd",
        "curl", "wget", "sh", "bash", "dash"
      )
    )
  )

high severity high confidence

Data Sources

Elastic Endpoint Security agent (Linux/macOS) Auditbeat process module Filebeat auditd module

Required Tables

logs-endpoint.events.process-* auditbeat-* .ds-logs-endpoint.events.process-*

False Positives

System administrators using chmod during routine software installation or post-install fixup scripts (e.g., fixing permissions after tarball extraction to /usr/local/bin)
CI/CD pipeline agents (Jenkins, GitHub Actions self-hosted runners, GitLab runners) setting executable permissions on build artifacts staged in /tmp before moving to deployment directories
Configuration management tools (Ansible, Puppet, Chef, SaltStack) performing authorized bulk permission corrections across managed hosts as part of CIS benchmark hardening playbooks
Container build processes (Docker multi-stage builds, Podman) using chmod on COPY-staged files before finalizing the image layer
Package manager post-install scripts (pip, npm install --global, cargo install) invoking chmod on installed binaries in /usr/local/bin

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  CATEGORYNAME(category) AS event_category
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Universal CEF', 'Linux auditd', 'Syslog')
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("Process Name") IN ('chmod', 'chown', 'chattr', 'setfacl')
    OR "Command" ILIKE '%/bin/chmod%'
    OR "Command" ILIKE '%/usr/bin/chmod%'
    OR "Command" ILIKE '%/usr/bin/chattr%'
    OR "Command" ILIKE '%/sbin/chattr%'
  )
  AND (
    /* SUID/SGID and world-writable modes */
    "Command" ILIKE '%4755%'
    OR "Command" ILIKE '%4777%'
    OR "Command" ILIKE '%6755%'
    OR "Command" ILIKE '%6777%'
    OR "Command" ILIKE '%7777%'
    OR "Command" ILIKE '%777%'
    OR "Command" ILIKE '%a+w%'
    OR "Command" ILIKE '%o+w%'
    OR "Command" ILIKE '%0777%'
    /* chattr immutable flag operations */
    OR ("Command" ILIKE '%chattr%' AND "Command" ILIKE '%+i%')
    OR ("Command" ILIKE '%chattr%' AND "Command" ILIKE '%-i %')
    /* chown root ownership transfer */
    OR ("Command" ILIKE '%chown%' AND "Command" ILIKE '%root:%')
    OR ("Command" ILIKE '%chown%' AND "Command" ILIKE '%:root%')
    /* Sensitive system file and directory targeting */
    OR "Command" ILIKE '%/tmp/%'
    OR "Command" ILIKE '%/dev/shm/%'
    OR "Command" ILIKE '%/var/tmp/%'
    OR "Command" ILIKE '%/etc/passwd%'
    OR "Command" ILIKE '%/etc/shadow%'
    OR "Command" ILIKE '%/etc/sudoers%'
    OR "Command" ILIKE '%/.ssh/%'
    OR "Command" ILIKE '%/etc/cron%'
    OR "Command" ILIKE '%/etc/systemd/%'
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

QRadar Linux OS DSM QRadar Universal CEF DSM Linux auditd forwarded via syslog IBM QRadar SIEM

Required Tables

events

False Positives

Authorized sysadmin activity such as resetting web server document root ownership after manual file transfers or emergency hotfixes applied directly on the host
Automated infrastructure management tools (Red Hat Satellite, Landscape Ubuntu Manager) correcting file ownership and permissions during scheduled patch cycles
Security hardening automation (CIS-CAT Pro remediator, OpenSCAP fix scripts) bulk-modifying permissions across the file system to enforce compliance baselines

Sumo Logic CSE

sql

(_sourceCategory=linux* OR _sourceCategory=*audit* OR _sourceCategory=*syslog*)
| where _raw matches /chmod|chown|chattr|setfacl/
| parse regex "(?:a0|cmd|process)=(?<process_cmd>[^\s=,;]+)" nodrop
| parse regex "a[1-3]=(?<args>[^\n]+)" nodrop
| where process_cmd in ("chmod", "chown", "chattr", "setfacl",
    "/bin/chmod", "/usr/bin/chmod",
    "/bin/chown", "/usr/bin/chown",
    "/usr/bin/chattr", "/sbin/chattr")
| if (isNull(args), process_cmd, concat(process_cmd, " ", args)) as full_cmdline
| if (full_cmdline matches "*4755*" OR full_cmdline matches "*4777*"
      OR full_cmdline matches "*6755*" OR full_cmdline matches "*6777*"
      OR full_cmdline matches "*+s*" OR full_cmdline matches "*7777*", 1, 0) as ChmodSuid
| if (full_cmdline matches "*777*" OR full_cmdline matches "*a+w*"
      OR full_cmdline matches "*o+w*" OR full_cmdline matches "*0777*", 1, 0) as ChmodWorldWritable
| if ((full_cmdline matches "*+x*" OR full_cmdline matches "*a+x*" OR full_cmdline matches "*o+x*")
      AND (full_cmdline matches "*/tmp/*" OR full_cmdline matches "*/dev/shm/*"
            OR full_cmdline matches "*/var/tmp/*"), 1, 0) as ChmodExecutable
| if (process_cmd matches "*chattr*" AND full_cmdline matches "* +i*", 1, 0) as ChattrImmutable
| if (process_cmd matches "*chattr*" AND full_cmdline matches "* -i *", 1, 0) as ChattrUnlock
| if (process_cmd matches "*chown*" AND
      (full_cmdline matches "*root:*" OR full_cmdline matches "*:root*"), 1, 0) as ChownToRoot
| if (full_cmdline matches "*/tmp/*" OR full_cmdline matches "*/dev/shm/*"
      OR full_cmdline matches "*/etc/cron*" OR full_cmdline matches "*/etc/systemd*"
      OR full_cmdline matches "*/.ssh/*" OR full_cmdline matches "*/etc/passwd*"
      OR full_cmdline matches "*/etc/shadow*" OR full_cmdline matches "*/etc/sudoers*", 1, 0) as SuspiciousPath
| if (full_cmdline matches "* -R *" OR full_cmdline matches "*--recursive*", 1, 0) as RecursiveChange
| ChmodSuid*4 + ChmodWorldWritable*3 + ChmodExecutable*2
    + ChattrImmutable*4 + ChattrUnlock*2 + ChownToRoot*3
    + SuspiciousPath*1 + RecursiveChange*1 as RiskScore
| where RiskScore > 0
| fields _messageTime, _sourceHost, user, process_cmd, full_cmdline,
    ChmodSuid, ChmodWorldWritable, ChmodExecutable,
    ChattrImmutable, ChattrUnlock, ChownToRoot,
    SuspiciousPath, RecursiveChange, RiskScore
| sort by RiskScore desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector (Linux hosts) Sumo Logic auditd log source Linux syslog forwarded to Sumo Logic Cloud SIEM

Required Tables

_sourceCategory=linux* _sourceCategory=*audit* _sourceCategory=*syslog*

False Positives

Infrastructure-as-code provisioning tools (Terraform provisioners, Ansible tasks) executing permission changes as part of host bootstrap playbooks during first-boot or re-provisioning
Package post-install hooks (pip, npm, cargo, gem, go install) invoking chmod on newly placed binaries in /usr/local/bin or project-local directories
Container startup scripts (entrypoint.sh, init.sh) that stage files in /tmp and set executable permissions before moving them to their final runtime path inside the container

Google Chronicle / SecOps

yaral

rule t1222_002_linux_file_permission_modification {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1222.002 Linux/macOS file and directory permission modification via chmod, chown, chattr, or setfacl using dangerous modes or targeting sensitive system paths."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1222.002"
    severity = "HIGH"
    priority = "HIGH"
    created = "2025-01-01"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex(
      $e.target.process.file.full_path,
      `/(bin|usr/bin|usr/local/bin|sbin)/(chmod|chown|chattr|setfacl)$`
    )
    (
      // SUID/SGID bit setting — local privilege escalation vector
      re.regex($e.target.process.command_line, `(4755|4777|6755|6777|\+s|7777)`) or
      // World-writable permission grants
      re.regex($e.target.process.command_line, `(777|a\+w|o\+w|0777)`) or
      // Executable bit on files in world-writable staging directories
      (
        re.regex($e.target.process.command_line, `(\+x|a\+x|o\+x)`) and
        re.regex($e.target.process.command_line, `(/tmp/|/dev/shm/|/var/tmp/|/run/)`)
      ) or
      // chattr +i immutability flag — protects malicious persistence from deletion
      (
        re.regex($e.target.process.file.full_path, `chattr`) and
        re.regex($e.target.process.command_line, `\+i`)
      ) or
      // chattr -i removes immutability to permit modification of protected files
      (
        re.regex($e.target.process.file.full_path, `chattr`) and
        re.regex($e.target.process.command_line, `\-i( |$)`)
      ) or
      // chown root — escalates file ownership for privilege abuse
      (
        re.regex($e.target.process.file.full_path, `chown`) and
        re.regex($e.target.process.command_line, `(root:|:root)`)
      ) or
      // Sensitive credential and configuration file modification
      re.regex(
        $e.target.process.command_line,
        `(/etc/passwd|/etc/shadow|/etc/sudoers|\.ssh/|/etc/cron|/etc/systemd)`
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events) Linux endpoint telemetry ingested into Chronicle via forwarder Chronicle Ingestion API with Auditd or EDR process data

Required Tables

UDM event_type PROCESS_LAUNCH

False Positives

Authorized administrative scripts run by privileged users that legitimately set ownership on application binaries in /usr/local/bin after manual compilation and installation from source
Automated patch management systems (Red Hat Satellite, SUSE Manager, Canonical Landscape) that correct file permissions after package upgrades or security patch application
Deployment pipelines that upload scripts to ephemeral staging areas and run chmod before moving artifacts to production application directories as part of a blue/green deploy

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName in values=["chmod", "chown", "chattr", "setfacl"]
| CommandLine = /4755|4777|6755|6777|\+s|7777|777|a\+w|o\+w|0777|\+i|-i |root:|:root|\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/etc\/passwd|\/etc\/shadow|\/etc\/sudoers|\.ssh\//i
| eval ChmodSuid := if(CommandLine = /4755|4777|6755|6777|\+s|7777/i, 1, 0)
| eval ChmodWorldWritable := if(CommandLine = /777|a\+w|o\+w|0777/, 1, 0)
| eval ChmodExecutable := if(
    CommandLine = /(\+x|a\+x|o\+x)/i
    and CommandLine = /\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/run\//i,
    1, 0)
| eval ChattrImmutable := if(FileName = "chattr" and CommandLine = /\+i/, 1, 0)
| eval ChattrUnlock := if(FileName = "chattr" and CommandLine = /-i( |$)/, 1, 0)
| eval ChownToRoot := if(FileName = "chown" and CommandLine = /root:|:root/, 1, 0)
| eval SuspiciousPath := if(
    CommandLine = /\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/run\/|\/etc\/cron|\/etc\/systemd|\.bashrc|\.ssh\/|\/etc\/passwd|\/etc\/shadow|\/etc\/sudoers/i,
    1, 0)
| eval RecursiveChange := if(CommandLine = /-R |--recursive/, 1, 0)
| eval RiskScore := ChmodSuid*4 + ChmodWorldWritable*3 + ChmodExecutable*2
    + ChattrImmutable*4 + ChattrUnlock*2 + ChownToRoot*3
    + SuspiciousPath*1 + RecursiveChange*1
| RiskScore > 0
| select([ComputerName, UserName, FileName, CommandLine,
    ParentBaseFileName, ParentProcessId,
    ChmodSuid, ChmodWorldWritable, ChmodExecutable,
    ChattrImmutable, ChattrUnlock, ChownToRoot,
    SuspiciousPath, RecursiveChange, RiskScore])
| sort([RiskScore], order=desc, limit=1000)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (Linux sensor) Falcon Insight XDR ProcessRollup2 telemetry CrowdStrike LogScale / Falcon NG-SIEM

Required Tables

#event_simpleName=ProcessRollup2

False Positives

Falcon-managed hosts running automated OS hardening or CIS-benchmark compliance scripts that bulk-adjust file permissions during first-boot provisioning or scheduled nightly remediation runs
Software build workflows where compilers or build systems (make, cmake, gradle, cargo) set executable permissions on compiled binaries or wrapper scripts staged in /tmp before installation to system paths
Kubernetes init containers and sidecar lifecycle hooks that drop scripts into shared emptyDir volumes and chmod them before the main application container starts up

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1222.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Linux and Mac File and Directory Permissions Modification

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections