T1222.002 Google Chronicle · YARA-L

Detect Linux and Mac File and Directory Permissions Modification in Google Chronicle

Adversaries modify file or directory permissions on Linux and macOS systems using chmod, chown, and chattr to evade access controls and enable further malicious activity. Common patterns include chmod +x or chmod 777 on payloads dropped in world-writable directories (/tmp, /dev/shm, /var/tmp), chattr +i to make persistence mechanisms immutable and undeletable, setuid bit setting (chmod 4755/+s) for privilege escalation, and chown root to escalate file ownership. Threat actors including TeamTNT, Rocke, Kinsing, APT32, and Black Basta have all leveraged these commands to prepare and protect malicious binaries. This technique frequently precedes or accompanies persistence (T1546.004 shell config modification, T1574 hijack execution flow) and execution techniques.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1222 File and Directory Permissions Modification
Sub-technique
T1222.002 Linux and Mac File and Directory Permissions Modification
Canonical reference
https://attack.mitre.org/techniques/T1222/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1222_002_linux_file_permission_modification {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1222.002 Linux/macOS file and directory permission modification via chmod, chown, chattr, or setfacl using dangerous modes or targeting sensitive system paths."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1222.002"
    severity = "HIGH"
    priority = "HIGH"
    created = "2025-01-01"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex(
      $e.target.process.file.full_path,
      `/(bin|usr/bin|usr/local/bin|sbin)/(chmod|chown|chattr|setfacl)$`
    )
    (
      // SUID/SGID bit setting — local privilege escalation vector
      re.regex($e.target.process.command_line, `(4755|4777|6755|6777|\+s|7777)`) or
      // World-writable permission grants
      re.regex($e.target.process.command_line, `(777|a\+w|o\+w|0777)`) or
      // Executable bit on files in world-writable staging directories
      (
        re.regex($e.target.process.command_line, `(\+x|a\+x|o\+x)`) and
        re.regex($e.target.process.command_line, `(/tmp/|/dev/shm/|/var/tmp/|/run/)`)
      ) or
      // chattr +i immutability flag — protects malicious persistence from deletion
      (
        re.regex($e.target.process.file.full_path, `chattr`) and
        re.regex($e.target.process.command_line, `\+i`)
      ) or
      // chattr -i removes immutability to permit modification of protected files
      (
        re.regex($e.target.process.file.full_path, `chattr`) and
        re.regex($e.target.process.command_line, `\-i( |$)`)
      ) or
      // chown root — escalates file ownership for privilege abuse
      (
        re.regex($e.target.process.file.full_path, `chown`) and
        re.regex($e.target.process.command_line, `(root:|:root)`)
      ) or
      // Sensitive credential and configuration file modification
      re.regex(
        $e.target.process.command_line,
        `(/etc/passwd|/etc/shadow|/etc/sudoers|\.ssh/|/etc/cron|/etc/systemd)`
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 detection rule for T1222.002 identifying Linux and macOS file permission modification. Matches PROCESS_LAUNCH UDM events where chmod, chown, chattr, or setfacl is invoked with SUID/SGID modes, world-writable flags, chattr immutability operations, root ownership transfers, or modifications targeting sensitive credential and configuration files. Uses regex matching on target process full path and command-line UDM fields.

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH events)Linux endpoint telemetry ingested into Chronicle via forwarderChronicle Ingestion API with Auditd or EDR process data

Required Tables

UDM event_type PROCESS_LAUNCH

False Positives & Tuning

  • Authorized administrative scripts run by privileged users that legitimately set ownership on application binaries in /usr/local/bin after manual compilation and installation from source
  • Automated patch management systems (Red Hat Satellite, SUSE Manager, Canonical Landscape) that correct file permissions after package upgrades or security patch application
  • Deployment pipelines that upload scripts to ephemeral staging areas and run chmod before moving artifacts to production application directories as part of a blue/green deploy
Download portable Sigma rule (.yml)

Other platforms for T1222.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1chmod +x on Payload in /tmp (Executable Staging)

    Expected signal: auditd EXECVE record with a0=chmod, a1=+x, a2=/tmp/df00tech_test_payload.sh. Sysmon for Linux Event ID 1 (Process Create) with Image=/usr/bin/chmod, CommandLine='chmod +x /tmp/df00tech_test_payload.sh', ParentImage=/usr/bin/bash. MDE DeviceProcessEvents with FileName=chmod, ProcessCommandLine containing '+x' and '/tmp/'.

  2. Test 2chattr +i Immutable Flag (Malware Persistence Protection)

    Expected signal: auditd EXECVE record with a0=chattr, a1=+i, a2=/tmp/df00tech_immutable_test.bin, uid=0. Sysmon for Linux Event ID 1 with Image=/usr/bin/chattr, CommandLine='chattr +i /tmp/df00tech_immutable_test.bin'. MDE DeviceProcessEvents with FileName=chattr, ProcessCommandLine containing '+i'.

  3. Test 3chmod 4755 Setuid Binary Creation (Privilege Escalation Enablement)

    Expected signal: auditd SYSCALL record with syscall=268 (fchmodat), mode=0x89ED (4755 octal). EXECVE record with a0=chmod, a1=4755, a2=/tmp/df00tech_suid_test. MDE DeviceProcessEvents with ProcessCommandLine containing '4755'. The file will appear with 's' in ls -la output: -rwsr-xr-x.

  4. Test 4chown root Ownership Transfer (Ownership Hijacking)

    Expected signal: auditd SYSCALL record with syscall=260 (fchownat), uid=0. EXECVE record with a0=chown, a1=root:root, a2=/tmp/df00tech_chown_test.bin. MDE DeviceProcessEvents with FileName=chown, ProcessCommandLine containing 'root:root' and '/tmp/'.

  5. Test 5chmod 777 World-Writable Directory (Lateral Movement Staging)

    Expected signal: auditd EXECVE record with a0=chmod, a1=777, a2=/tmp/df00tech_staging_dir. Sysmon for Linux Event ID 1 with CommandLine='chmod 777 /tmp/df00tech_staging_dir'. MDE DeviceProcessEvents with ProcessCommandLine containing '777' and '/tmp/'.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1222.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1222File and Directory Permissions Modification

Related Sub-techniques

T1222.001Windows File and Directory Permissions Modification

Related Techniques

T1222File and Directory Permissions ModificationT1222.001Windows File and Directory Permissions ModificationT1546.004Unix Shell Configuration ModificationT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1053.003CronT1059.004Unix ShellT1068Exploitation for Privilege EscalationT1564.001Hidden Files and DirectoriesT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections