T1222.002 CrowdStrike LogScale · LogScale

Detect Linux and Mac File and Directory Permissions Modification in CrowdStrike LogScale

Adversaries modify file or directory permissions on Linux and macOS systems using chmod, chown, and chattr to evade access controls and enable further malicious activity. Common patterns include chmod +x or chmod 777 on payloads dropped in world-writable directories (/tmp, /dev/shm, /var/tmp), chattr +i to make persistence mechanisms immutable and undeletable, setuid bit setting (chmod 4755/+s) for privilege escalation, and chown root to escalate file ownership. Threat actors including TeamTNT, Rocke, Kinsing, APT32, and Black Basta have all leveraged these commands to prepare and protect malicious binaries. This technique frequently precedes or accompanies persistence (T1546.004 shell config modification, T1574 hijack execution flow) and execution techniques.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1222 File and Directory Permissions Modification
Sub-technique
T1222.002 Linux and Mac File and Directory Permissions Modification
Canonical reference
https://attack.mitre.org/techniques/T1222/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| FileName in values=["chmod", "chown", "chattr", "setfacl"]
| CommandLine = /4755|4777|6755|6777|\+s|7777|777|a\+w|o\+w|0777|\+i|-i |root:|:root|\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/etc\/passwd|\/etc\/shadow|\/etc\/sudoers|\.ssh\//i
| eval ChmodSuid := if(CommandLine = /4755|4777|6755|6777|\+s|7777/i, 1, 0)
| eval ChmodWorldWritable := if(CommandLine = /777|a\+w|o\+w|0777/, 1, 0)
| eval ChmodExecutable := if(
    CommandLine = /(\+x|a\+x|o\+x)/i
    and CommandLine = /\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/run\//i,
    1, 0)
| eval ChattrImmutable := if(FileName = "chattr" and CommandLine = /\+i/, 1, 0)
| eval ChattrUnlock := if(FileName = "chattr" and CommandLine = /-i( |$)/, 1, 0)
| eval ChownToRoot := if(FileName = "chown" and CommandLine = /root:|:root/, 1, 0)
| eval SuspiciousPath := if(
    CommandLine = /\/tmp\/|\/dev\/shm\/|\/var\/tmp\/|\/run\/|\/etc\/cron|\/etc\/systemd|\.bashrc|\.ssh\/|\/etc\/passwd|\/etc\/shadow|\/etc\/sudoers/i,
    1, 0)
| eval RecursiveChange := if(CommandLine = /-R |--recursive/, 1, 0)
| eval RiskScore := ChmodSuid*4 + ChmodWorldWritable*3 + ChmodExecutable*2
    + ChattrImmutable*4 + ChattrUnlock*2 + ChownToRoot*3
    + SuspiciousPath*1 + RecursiveChange*1
| RiskScore > 0
| select([ComputerName, UserName, FileName, CommandLine,
    ParentBaseFileName, ParentProcessId,
    ChmodSuid, ChmodWorldWritable, ChmodExecutable,
    ChattrImmutable, ChattrUnlock, ChownToRoot,
    SuspiciousPath, RecursiveChange, RiskScore])
| sort([RiskScore], order=desc, limit=1000)
high severity high confidence

CrowdStrike Falcon LogScale (NG-SIEM) query detecting T1222.002 via ProcessRollup2 events. Filters for chmod, chown, chattr, and setfacl executions matching dangerous permission patterns across eight behavioral categories, then applies a weighted risk scoring model identical to the SPL baseline to rank events by severity. Parent process name is surfaced for triage. Suitable for Falcon Insight XDR deployments with Linux sensor coverage.

Data Sources

CrowdStrike Falcon Endpoint Protection (Linux sensor)Falcon Insight XDR ProcessRollup2 telemetryCrowdStrike LogScale / Falcon NG-SIEM

Required Tables

#event_simpleName=ProcessRollup2

False Positives & Tuning

  • Falcon-managed hosts running automated OS hardening or CIS-benchmark compliance scripts that bulk-adjust file permissions during first-boot provisioning or scheduled nightly remediation runs
  • Software build workflows where compilers or build systems (make, cmake, gradle, cargo) set executable permissions on compiled binaries or wrapper scripts staged in /tmp before installation to system paths
  • Kubernetes init containers and sidecar lifecycle hooks that drop scripts into shared emptyDir volumes and chmod them before the main application container starts up
Download portable Sigma rule (.yml)

Other platforms for T1222.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1chmod +x on Payload in /tmp (Executable Staging)

    Expected signal: auditd EXECVE record with a0=chmod, a1=+x, a2=/tmp/df00tech_test_payload.sh. Sysmon for Linux Event ID 1 (Process Create) with Image=/usr/bin/chmod, CommandLine='chmod +x /tmp/df00tech_test_payload.sh', ParentImage=/usr/bin/bash. MDE DeviceProcessEvents with FileName=chmod, ProcessCommandLine containing '+x' and '/tmp/'.

  2. Test 2chattr +i Immutable Flag (Malware Persistence Protection)

    Expected signal: auditd EXECVE record with a0=chattr, a1=+i, a2=/tmp/df00tech_immutable_test.bin, uid=0. Sysmon for Linux Event ID 1 with Image=/usr/bin/chattr, CommandLine='chattr +i /tmp/df00tech_immutable_test.bin'. MDE DeviceProcessEvents with FileName=chattr, ProcessCommandLine containing '+i'.

  3. Test 3chmod 4755 Setuid Binary Creation (Privilege Escalation Enablement)

    Expected signal: auditd SYSCALL record with syscall=268 (fchmodat), mode=0x89ED (4755 octal). EXECVE record with a0=chmod, a1=4755, a2=/tmp/df00tech_suid_test. MDE DeviceProcessEvents with ProcessCommandLine containing '4755'. The file will appear with 's' in ls -la output: -rwsr-xr-x.

  4. Test 4chown root Ownership Transfer (Ownership Hijacking)

    Expected signal: auditd SYSCALL record with syscall=260 (fchownat), uid=0. EXECVE record with a0=chown, a1=root:root, a2=/tmp/df00tech_chown_test.bin. MDE DeviceProcessEvents with FileName=chown, ProcessCommandLine containing 'root:root' and '/tmp/'.

  5. Test 5chmod 777 World-Writable Directory (Lateral Movement Staging)

    Expected signal: auditd EXECVE record with a0=chmod, a1=777, a2=/tmp/df00tech_staging_dir. Sysmon for Linux Event ID 1 with CommandLine='chmod 777 /tmp/df00tech_staging_dir'. MDE DeviceProcessEvents with ProcessCommandLine containing '777' and '/tmp/'.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1222.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1222File and Directory Permissions Modification

Related Sub-techniques

T1222.001Windows File and Directory Permissions Modification

Related Techniques

T1222File and Directory Permissions ModificationT1222.001Windows File and Directory Permissions ModificationT1546.004Unix Shell Configuration ModificationT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1053.003CronT1059.004Unix ShellT1068Exploitation for Privilege EscalationT1564.001Hidden Files and DirectoriesT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections