T1222.002 IBM QRadar · QRadar

Detect Linux and Mac File and Directory Permissions Modification in IBM QRadar

Adversaries modify file or directory permissions on Linux and macOS systems using chmod, chown, and chattr to evade access controls and enable further malicious activity. Common patterns include chmod +x or chmod 777 on payloads dropped in world-writable directories (/tmp, /dev/shm, /var/tmp), chattr +i to make persistence mechanisms immutable and undeletable, setuid bit setting (chmod 4755/+s) for privilege escalation, and chown root to escalate file ownership. Threat actors including TeamTNT, Rocke, Kinsing, APT32, and Black Basta have all leveraged these commands to prepare and protect malicious binaries. This technique frequently precedes or accompanies persistence (T1546.004 shell config modification, T1574 hijack execution flow) and execution techniques.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1222 File and Directory Permissions Modification
Sub-technique
T1222.002 Linux and Mac File and Directory Permissions Modification
Canonical reference
https://attack.mitre.org/techniques/T1222/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip AS host_ip,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  CATEGORYNAME(category) AS event_category
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Universal CEF', 'Linux auditd', 'Syslog')
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND (
    LOWER("Process Name") IN ('chmod', 'chown', 'chattr', 'setfacl')
    OR "Command" ILIKE '%/bin/chmod%'
    OR "Command" ILIKE '%/usr/bin/chmod%'
    OR "Command" ILIKE '%/usr/bin/chattr%'
    OR "Command" ILIKE '%/sbin/chattr%'
  )
  AND (
    /* SUID/SGID and world-writable modes */
    "Command" ILIKE '%4755%'
    OR "Command" ILIKE '%4777%'
    OR "Command" ILIKE '%6755%'
    OR "Command" ILIKE '%6777%'
    OR "Command" ILIKE '%7777%'
    OR "Command" ILIKE '%777%'
    OR "Command" ILIKE '%a+w%'
    OR "Command" ILIKE '%o+w%'
    OR "Command" ILIKE '%0777%'
    /* chattr immutable flag operations */
    OR ("Command" ILIKE '%chattr%' AND "Command" ILIKE '%+i%')
    OR ("Command" ILIKE '%chattr%' AND "Command" ILIKE '%-i %')
    /* chown root ownership transfer */
    OR ("Command" ILIKE '%chown%' AND "Command" ILIKE '%root:%')
    OR ("Command" ILIKE '%chown%' AND "Command" ILIKE '%:root%')
    /* Sensitive system file and directory targeting */
    OR "Command" ILIKE '%/tmp/%'
    OR "Command" ILIKE '%/dev/shm/%'
    OR "Command" ILIKE '%/var/tmp/%'
    OR "Command" ILIKE '%/etc/passwd%'
    OR "Command" ILIKE '%/etc/shadow%'
    OR "Command" ILIKE '%/etc/sudoers%'
    OR "Command" ILIKE '%/.ssh/%'
    OR "Command" ILIKE '%/etc/cron%'
    OR "Command" ILIKE '%/etc/systemd/%'
  )
ORDER BY starttime DESC
high severity medium confidence

QRadar AQL query detecting T1222.002 Linux file permission modification by querying process execution events from Linux OS, auditd, and syslog log sources. Filters on chmod, chown, chattr, and setfacl invocations with dangerous permission modes or sensitive target paths. Relies on QRadar DSM normalization of Process Name and Command fields from Linux auditd EXECVE records or CEF-forwarded process events.

Data Sources

QRadar Linux OS DSMQRadar Universal CEF DSMLinux auditd forwarded via syslogIBM QRadar SIEM

Required Tables

events

False Positives & Tuning

  • Authorized sysadmin activity such as resetting web server document root ownership after manual file transfers or emergency hotfixes applied directly on the host
  • Automated infrastructure management tools (Red Hat Satellite, Landscape Ubuntu Manager) correcting file ownership and permissions during scheduled patch cycles
  • Security hardening automation (CIS-CAT Pro remediator, OpenSCAP fix scripts) bulk-modifying permissions across the file system to enforce compliance baselines
Download portable Sigma rule (.yml)

Other platforms for T1222.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1chmod +x on Payload in /tmp (Executable Staging)

    Expected signal: auditd EXECVE record with a0=chmod, a1=+x, a2=/tmp/df00tech_test_payload.sh. Sysmon for Linux Event ID 1 (Process Create) with Image=/usr/bin/chmod, CommandLine='chmod +x /tmp/df00tech_test_payload.sh', ParentImage=/usr/bin/bash. MDE DeviceProcessEvents with FileName=chmod, ProcessCommandLine containing '+x' and '/tmp/'.

  2. Test 2chattr +i Immutable Flag (Malware Persistence Protection)

    Expected signal: auditd EXECVE record with a0=chattr, a1=+i, a2=/tmp/df00tech_immutable_test.bin, uid=0. Sysmon for Linux Event ID 1 with Image=/usr/bin/chattr, CommandLine='chattr +i /tmp/df00tech_immutable_test.bin'. MDE DeviceProcessEvents with FileName=chattr, ProcessCommandLine containing '+i'.

  3. Test 3chmod 4755 Setuid Binary Creation (Privilege Escalation Enablement)

    Expected signal: auditd SYSCALL record with syscall=268 (fchmodat), mode=0x89ED (4755 octal). EXECVE record with a0=chmod, a1=4755, a2=/tmp/df00tech_suid_test. MDE DeviceProcessEvents with ProcessCommandLine containing '4755'. The file will appear with 's' in ls -la output: -rwsr-xr-x.

  4. Test 4chown root Ownership Transfer (Ownership Hijacking)

    Expected signal: auditd SYSCALL record with syscall=260 (fchownat), uid=0. EXECVE record with a0=chown, a1=root:root, a2=/tmp/df00tech_chown_test.bin. MDE DeviceProcessEvents with FileName=chown, ProcessCommandLine containing 'root:root' and '/tmp/'.

  5. Test 5chmod 777 World-Writable Directory (Lateral Movement Staging)

    Expected signal: auditd EXECVE record with a0=chmod, a1=777, a2=/tmp/df00tech_staging_dir. Sysmon for Linux Event ID 1 with CommandLine='chmod 777 /tmp/df00tech_staging_dir'. MDE DeviceProcessEvents with ProcessCommandLine containing '777' and '/tmp/'.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1222.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1222File and Directory Permissions Modification

Related Sub-techniques

T1222.001Windows File and Directory Permissions Modification

Related Techniques

T1222File and Directory Permissions ModificationT1222.001Windows File and Directory Permissions ModificationT1546.004Unix Shell Configuration ModificationT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1053.003CronT1059.004Unix ShellT1068Exploitation for Privilege EscalationT1564.001Hidden Files and DirectoriesT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections