T1222.002 Splunk · SPL

Detect Linux and Mac File and Directory Permissions Modification in Splunk

Adversaries modify file or directory permissions on Linux and macOS systems using chmod, chown, and chattr to evade access controls and enable further malicious activity. Common patterns include chmod +x or chmod 777 on payloads dropped in world-writable directories (/tmp, /dev/shm, /var/tmp), chattr +i to make persistence mechanisms immutable and undeletable, setuid bit setting (chmod 4755/+s) for privilege escalation, and chown root to escalate file ownership. Threat actors including TeamTNT, Rocke, Kinsing, APT32, and Black Basta have all leveraged these commands to prepare and protect malicious binaries. This technique frequently precedes or accompanies persistence (T1546.004 shell config modification, T1574 hijack execution flow) and execution techniques.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1222 File and Directory Permissions Modification
Sub-technique
T1222.002 Linux and Mac File and Directory Permissions Modification
Canonical reference
https://attack.mitre.org/techniques/T1222/002/

SPL Detection Query

Splunk (SPL)
spl 
((index=linux OR index=main) sourcetype="linux:audit" type=EXECVE
  (a0="chmod" OR a0="chown" OR a0="chattr" OR a0="setfacl"
   OR (a0="/bin/chmod" OR a0="/usr/bin/chmod"
       OR a0="/bin/chown" OR a0="/usr/bin/chown"
       OR a0="/usr/bin/chattr" OR a0="/sbin/chattr")))
OR
((index=linux OR index=main) sourcetype="syslog"
  ("chmod" OR "chown" OR "chattr")
  NOT ("man chmod" OR "--help" OR "dpkg" OR "rpm"))
| eval cmd=coalesce(a0, process)
| eval args=coalesce(mvjoin(mvfilter(match('mv_rest', "a\d+"), mv_rest), " "), cmd_args, "")
| eval full_cmdline=cmd." ".args
| eval ChmodSuid=if(match(full_cmdline, "(4755|4777|6755|6777|\+s|7777)"), 1, 0)
| eval ChmodWorldWritable=if(match(full_cmdline, "(777|a\+w|o\+w|0777)"), 1, 0)
| eval ChmodExecutable=if(match(full_cmdline, "(\+x|755|a\+x|o\+x)") AND match(full_cmdline, "(/tmp/|/dev/shm/|/var/tmp/|/run/)"), 1, 0)
| eval ChattrImmutable=if(match(cmd, "chattr") AND match(full_cmdline, "\+i"), 1, 0)
| eval ChattrUnlock=if(match(cmd, "chattr") AND match(full_cmdline, "\-i"), 1, 0)
| eval ChownToRoot=if(match(cmd, "chown") AND match(full_cmdline, "(root:|:root|\s0\s|\s0:|:0\s)"), 1, 0)
| eval SuspiciousPath=if(match(full_cmdline, "(/tmp/|/dev/shm/|/var/tmp/|/run/|/etc/cron|/etc/init|/etc/systemd|.bashrc|.bash_profile|.ssh/|/etc/passwd|/etc/shadow|/etc/sudoers)"), 1, 0)
| eval RecursiveChange=if(match(full_cmdline, "(-R |--recursive)"), 1, 0)
| eval RiskScore=ChmodSuid*4 + ChmodWorldWritable*3 + ChmodExecutable*2 + ChattrImmutable*4 + ChattrUnlock*2 + ChownToRoot*3 + SuspiciousPath*1 + RecursiveChange*1
| where RiskScore > 0
| eval user=coalesce(user, uid, auid, "unknown")
| table _time, host, user, cmd, full_cmdline, ppid, ChmodSuid, ChmodWorldWritable, ChmodExecutable, ChattrImmutable, ChattrUnlock, ChownToRoot, SuspiciousPath, RecursiveChange, RiskScore
| sort - _time
medium severity high confidence

Detects suspicious file permission modifications on Linux systems using auditd EXECVE records and syslog data. Evaluates chmod, chown, chattr, and setfacl commands against multiple risk dimensions: setuid bit setting (highest risk — enables privilege escalation), world-writable permissions, chattr +i immutability (cryptominer/rootkit persistence technique), chown to root, and permission changes on high-risk paths. A weighted RiskScore allows analysts to prioritize high-confidence alerts. Covers both direct binary invocations and shell-expanded paths.

Data Sources

Process: Process CreationCommand: Command ExecutionLinux auditd (EXECVE records)Linux syslog

Required Sourcetypes

linux:auditsyslog

False Positives & Tuning

  • Package managers (apt, yum, dnf) applying permissions during installation or post-install scripts
  • CI/CD self-hosted runners executing chmod +x on build artifacts
  • Ansible, Chef, Puppet, or Salt applying file permissions during configuration management runs
  • Container initialization scripts setting permissions on mounted volumes
  • Database engines (MySQL, PostgreSQL) adjusting socket or data directory permissions on startup
Download portable Sigma rule (.yml)

Other platforms for T1222.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1chmod +x on Payload in /tmp (Executable Staging)

    Expected signal: auditd EXECVE record with a0=chmod, a1=+x, a2=/tmp/df00tech_test_payload.sh. Sysmon for Linux Event ID 1 (Process Create) with Image=/usr/bin/chmod, CommandLine='chmod +x /tmp/df00tech_test_payload.sh', ParentImage=/usr/bin/bash. MDE DeviceProcessEvents with FileName=chmod, ProcessCommandLine containing '+x' and '/tmp/'.

  2. Test 2chattr +i Immutable Flag (Malware Persistence Protection)

    Expected signal: auditd EXECVE record with a0=chattr, a1=+i, a2=/tmp/df00tech_immutable_test.bin, uid=0. Sysmon for Linux Event ID 1 with Image=/usr/bin/chattr, CommandLine='chattr +i /tmp/df00tech_immutable_test.bin'. MDE DeviceProcessEvents with FileName=chattr, ProcessCommandLine containing '+i'.

  3. Test 3chmod 4755 Setuid Binary Creation (Privilege Escalation Enablement)

    Expected signal: auditd SYSCALL record with syscall=268 (fchmodat), mode=0x89ED (4755 octal). EXECVE record with a0=chmod, a1=4755, a2=/tmp/df00tech_suid_test. MDE DeviceProcessEvents with ProcessCommandLine containing '4755'. The file will appear with 's' in ls -la output: -rwsr-xr-x.

  4. Test 4chown root Ownership Transfer (Ownership Hijacking)

    Expected signal: auditd SYSCALL record with syscall=260 (fchownat), uid=0. EXECVE record with a0=chown, a1=root:root, a2=/tmp/df00tech_chown_test.bin. MDE DeviceProcessEvents with FileName=chown, ProcessCommandLine containing 'root:root' and '/tmp/'.

  5. Test 5chmod 777 World-Writable Directory (Lateral Movement Staging)

    Expected signal: auditd EXECVE record with a0=chmod, a1=777, a2=/tmp/df00tech_staging_dir. Sysmon for Linux Event ID 1 with CommandLine='chmod 777 /tmp/df00tech_staging_dir'. MDE DeviceProcessEvents with ProcessCommandLine containing '777' and '/tmp/'.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1222.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1222File and Directory Permissions Modification

Related Sub-techniques

T1222.001Windows File and Directory Permissions Modification

Related Techniques

T1222File and Directory Permissions ModificationT1222.001Windows File and Directory Permissions ModificationT1546.004Unix Shell Configuration ModificationT1574.006Dynamic Linker HijackingT1574.007Path Interception by PATH Environment VariableT1053.003CronT1059.004Unix ShellT1068Exploitation for Privilege EscalationT1564.001Hidden Files and DirectoriesT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections