Detect Linux and Mac File and Directory Permissions Modification in Microsoft Sentinel
Adversaries modify file or directory permissions on Linux and macOS systems using chmod, chown, and chattr to evade access controls and enable further malicious activity. Common patterns include chmod +x or chmod 777 on payloads dropped in world-writable directories (/tmp, /dev/shm, /var/tmp), chattr +i to make persistence mechanisms immutable and undeletable, setuid bit setting (chmod 4755/+s) for privilege escalation, and chown root to escalate file ownership. Threat actors including TeamTNT, Rocke, Kinsing, APT32, and Black Basta have all leveraged these commands to prepare and protect malicious binaries. This technique frequently precedes or accompanies persistence (T1546.004 shell config modification, T1574 hijack execution flow) and execution techniques.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1222.002 Linux and Mac File and Directory Permissions Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1222/002/
KQL Detection Query
let SuspiciousTargetPaths = dynamic(["/tmp/", "/dev/shm/", "/var/tmp/", "/run/", "/etc/cron", "/etc/init", "/etc/systemd/", ".bashrc", ".bash_profile", ".bash_logout", ".profile", ".ssh/", "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/usr/local/bin/", "/usr/bin/"]);
let SuspiciousChmodModes = dynamic(["777", "4755", "4777", "6755", "6777", "7777", "+s", "a+x", "a+w", "o+w", "o+x"]);
let SuspiciousParents = dynamic(["python", "python3", "perl", "ruby", "php", "node", "nginx", "apache2", "httpd", "lighttpd", "curl", "wget", "sh", "bash", "dash"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where OSPlatform in~ ("Linux", "macOS")
| where FileName in~ ("chmod", "chown", "chattr", "setfacl")
| extend ChmodSuid = ProcessCommandLine has_any (["4755", "4777", "6755", "6777", "+s"])
| extend ChmodWorldWritable = ProcessCommandLine has_any (["777", "a+w", "o+w", "0777"])
| extend ChmodExecutable = ProcessCommandLine has_any (["+x", "755", "a+x", "o+x"]) and ProcessCommandLine has_any(SuspiciousTargetPaths)
| extend ChattrImmutable = FileName =~ "chattr" and ProcessCommandLine has "+i"
| extend ChattrUnlock = FileName =~ "chattr" and ProcessCommandLine has "-i"
| extend ChownToRoot = FileName =~ "chown" and ProcessCommandLine has_any (["root:", ":root", " 0 ", " 0:", ":0 ", "root "])
| extend SuspiciousTarget = ProcessCommandLine has_any (SuspiciousTargetPaths)
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend RecursiveChange = ProcessCommandLine has_any (["-R ", "--recursive"])
| where ChmodSuid or ChmodWorldWritable or ChmodExecutable or ChattrImmutable or ChattrUnlock or ChownToRoot or (SuspiciousTarget and SuspiciousParent)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
ChmodSuid, ChmodWorldWritable, ChmodExecutable,
ChattrImmutable, ChattrUnlock, ChownToRoot,
SuspiciousTarget, SuspiciousParent, RecursiveChange
| sort by Timestamp descDetects suspicious file and directory permission modifications on Linux and macOS endpoints via Microsoft Defender for Endpoint (MDE) DeviceProcessEvents. Identifies high-risk chmod patterns (setuid bit, world-writable, world-executable on suspicious paths), chattr +i immutability flags used by cryptominers and malware to protect persistence, chown root ownership changes, and permission modifications initiated by scripting interpreters or web servers — a common indicator of post-exploitation or webshell activity.
Data Sources
Required Tables
False Positives & Tuning
- Software package managers (apt, yum, dnf, brew) applying permissions during installation or upgrade
- CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) making scripts executable as part of build steps
- System administrators using chmod +x on deployment scripts or configuration files
- Container entrypoint scripts that set file permissions during container initialization
- Backup and restore operations using chown to restore original file ownership
- Developer workstations where users frequently adjust file permissions for local development
Other platforms for T1222.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1chmod +x on Payload in /tmp (Executable Staging)
Expected signal: auditd EXECVE record with a0=chmod, a1=+x, a2=/tmp/df00tech_test_payload.sh. Sysmon for Linux Event ID 1 (Process Create) with Image=/usr/bin/chmod, CommandLine='chmod +x /tmp/df00tech_test_payload.sh', ParentImage=/usr/bin/bash. MDE DeviceProcessEvents with FileName=chmod, ProcessCommandLine containing '+x' and '/tmp/'.
- Test 2chattr +i Immutable Flag (Malware Persistence Protection)
Expected signal: auditd EXECVE record with a0=chattr, a1=+i, a2=/tmp/df00tech_immutable_test.bin, uid=0. Sysmon for Linux Event ID 1 with Image=/usr/bin/chattr, CommandLine='chattr +i /tmp/df00tech_immutable_test.bin'. MDE DeviceProcessEvents with FileName=chattr, ProcessCommandLine containing '+i'.
- Test 3chmod 4755 Setuid Binary Creation (Privilege Escalation Enablement)
Expected signal: auditd SYSCALL record with syscall=268 (fchmodat), mode=0x89ED (4755 octal). EXECVE record with a0=chmod, a1=4755, a2=/tmp/df00tech_suid_test. MDE DeviceProcessEvents with ProcessCommandLine containing '4755'. The file will appear with 's' in ls -la output: -rwsr-xr-x.
- Test 4chown root Ownership Transfer (Ownership Hijacking)
Expected signal: auditd SYSCALL record with syscall=260 (fchownat), uid=0. EXECVE record with a0=chown, a1=root:root, a2=/tmp/df00tech_chown_test.bin. MDE DeviceProcessEvents with FileName=chown, ProcessCommandLine containing 'root:root' and '/tmp/'.
- Test 5chmod 777 World-Writable Directory (Lateral Movement Staging)
Expected signal: auditd EXECVE record with a0=chmod, a1=777, a2=/tmp/df00tech_staging_dir. Sysmon for Linux Event ID 1 with CommandLine='chmod 777 /tmp/df00tech_staging_dir'. MDE DeviceProcessEvents with ProcessCommandLine containing '777' and '/tmp/'.
References (12)
- https://attack.mitre.org/techniques/T1222/002/
- https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
- https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
- https://blog.trendmicro.com/trendlabs-security-intelligence/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger/
- https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/coathanger/COATHANGER+TLP-CLEAR.pdf
- https://www.uptycs.com/blog/black-basta-ransomware-goes-after-esxi-servers
- https://research.checkpoint.com/2017/dok-malware-gains-root-privileges-on-macs-installs-new-root-certificate-and-patches-systems-proxy/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://linux.die.net/man/1/chattr
- https://www.man7.org/linux/man-pages/man2/chmod.2.html
Unlock Pro Content
Get the full detection package for T1222.002 including response playbook, investigation guide, and atomic red team tests.