T1222.002 Elastic Security · Elastic

Detect Linux and Mac File and Directory Permissions Modification in Elastic Security

Adversaries modify file or directory permissions on Linux and macOS systems using chmod, chown, and chattr to evade access controls and enable further malicious activity. Common patterns include chmod +x or chmod 777 on payloads dropped in world-writable directories (/tmp, /dev/shm, /var/tmp), chattr +i to make persistence mechanisms immutable and undeletable, setuid bit setting (chmod 4755/+s) for privilege escalation, and chown root to escalate file ownership. Threat actors including TeamTNT, Rocke, Kinsing, APT32, and Black Basta have all leveraged these commands to prepare and protect malicious binaries. This technique frequently precedes or accompanies persistence (T1546.004 shell config modification, T1574 hijack execution flow) and execution techniques.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1222 File and Directory Permissions Modification
Sub-technique
T1222.002 Linux and Mac File and Directory Permissions Modification
Canonical reference
https://attack.mitre.org/techniques/T1222/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where host.os.type in ("linux", "macos")
  and event.type == "start"
  and process.name in ("chmod", "chown", "chattr", "setfacl")
  and (
    /* SUID/SGID bit setting — enables local privilege escalation */
    process.command_line like~ ("*4755*", "*4777*", "*6755*", "*6777*", "*+s*", "*7777*")
    or
    /* World-writable permission grants */
    process.command_line like~ ("*777*", "*a+w*", "*o+w*", "*0777*")
    or
    /* Executable bit set on files in world-writable staging directories */
    (
      process.command_line like~ ("*+x*", "*755*", "*a+x*", "*o+x*")
      and process.command_line like~ ("*/tmp/*", "*/dev/shm/*", "*/var/tmp/*", "*/run/*")
    )
    or
    /* chattr +i makes file immutable, protecting persistence mechanisms from deletion */
    (process.name == "chattr" and process.command_line like~ "*+i*")
    or
    /* chattr -i removes immutability to allow modification of protected files */
    (process.name == "chattr" and process.command_line like~ "*-i *")
    or
    /* chown root — escalates file ownership for privilege abuse */
    (process.name == "chown" and process.command_line like~ ("*root:*", "*:root*"))
    or
    /* Sensitive path modification spawned from scripting interpreter or web server */
    (
      process.command_line like~ (
        "*/tmp/*", "*/dev/shm/*", "*/etc/passwd*", "*/etc/shadow*",
        "*/etc/sudoers*", "*/.ssh/*", "*/etc/cron*", "*/etc/systemd/*",
        "*.bashrc*", "*.bash_profile*"
      )
      and process.parent.name in (
        "python", "python3", "perl", "ruby", "php", "node",
        "nginx", "apache2", "httpd", "lighttpd",
        "curl", "wget", "sh", "bash", "dash"
      )
    )
  )
high severity high confidence

Detects T1222.002 Linux and macOS file permission modification via chmod, chown, chattr, and setfacl. Covers SUID/SGID bit setting for privilege escalation, world-writable permission grants, chattr immutability flags protecting malicious persistence, root ownership transfers, and permission changes on sensitive system paths initiated from scripting interpreters or web servers. Designed for Elastic Endpoint or Auditbeat process telemetry using ECS field schema.

Data Sources

Elastic Endpoint Security agent (Linux/macOS)Auditbeat process moduleFilebeat auditd module

Required Tables

logs-endpoint.events.process-*auditbeat-*.ds-logs-endpoint.events.process-*

False Positives & Tuning

  • System administrators using chmod during routine software installation or post-install fixup scripts (e.g., fixing permissions after tarball extraction to /usr/local/bin)
  • CI/CD pipeline agents (Jenkins, GitHub Actions self-hosted runners, GitLab runners) setting executable permissions on build artifacts staged in /tmp before moving to deployment directories
  • Configuration management tools (Ansible, Puppet, Chef, SaltStack) performing authorized bulk permission corrections across managed hosts as part of CIS benchmark hardening playbooks
  • Container build processes (Docker multi-stage builds, Podman) using chmod on COPY-staged files before finalizing the image layer
  • Package manager post-install scripts (pip, npm install --global, cargo install) invoking chmod on installed binaries in /usr/local/bin
Download portable Sigma rule (.yml)

Other platforms for T1222.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1chmod +x on Payload in /tmp (Executable Staging)

    Expected signal: auditd EXECVE record with a0=chmod, a1=+x, a2=/tmp/df00tech_test_payload.sh. Sysmon for Linux Event ID 1 (Process Create) with Image=/usr/bin/chmod, CommandLine='chmod +x /tmp/df00tech_test_payload.sh', ParentImage=/usr/bin/bash. MDE DeviceProcessEvents with FileName=chmod, ProcessCommandLine containing '+x' and '/tmp/'.

  2. Test 2chattr +i Immutable Flag (Malware Persistence Protection)

    Expected signal: auditd EXECVE record with a0=chattr, a1=+i, a2=/tmp/df00tech_immutable_test.bin, uid=0. Sysmon for Linux Event ID 1 with Image=/usr/bin/chattr, CommandLine='chattr +i /tmp/df00tech_immutable_test.bin'. MDE DeviceProcessEvents with FileName=chattr, ProcessCommandLine containing '+i'.

  3. Test 3chmod 4755 Setuid Binary Creation (Privilege Escalation Enablement)

    Expected signal: auditd SYSCALL record with syscall=268 (fchmodat), mode=0x89ED (4755 octal). EXECVE record with a0=chmod, a1=4755, a2=/tmp/df00tech_suid_test. MDE DeviceProcessEvents with ProcessCommandLine containing '4755'. The file will appear with 's' in ls -la output: -rwsr-xr-x.

  4. Test 4chown root Ownership Transfer (Ownership Hijacking)

    Expected signal: auditd SYSCALL record with syscall=260 (fchownat), uid=0. EXECVE record with a0=chown, a1=root:root, a2=/tmp/df00tech_chown_test.bin. MDE DeviceProcessEvents with FileName=chown, ProcessCommandLine containing 'root:root' and '/tmp/'.

  5. Test 5chmod 777 World-Writable Directory (Lateral Movement Staging)

    Expected signal: auditd EXECVE record with a0=chmod, a1=777, a2=/tmp/df00tech_staging_dir. Sysmon for Linux Event ID 1 with CommandLine='chmod 777 /tmp/df00tech_staging_dir'. MDE DeviceProcessEvents with ProcessCommandLine containing '777' and '/tmp/'.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1222.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1222File and Directory Permissions Modification

Related Sub-techniques

T1222.001Windows File and Directory Permissions Modification

Related Techniques

T1222File and Directory Permissions ModificationT1222.001Windows File and Directory Permissions ModificationT1546.004Unix Shell Configuration ModificationT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1053.003CronT1059.004Unix ShellT1068Exploitation for Privilege EscalationT1564.001Hidden Files and DirectoriesT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections