Detect Linux and Mac File and Directory Permissions Modification in Sumo Logic CSE
Adversaries modify file or directory permissions on Linux and macOS systems using chmod, chown, and chattr to evade access controls and enable further malicious activity. Common patterns include chmod +x or chmod 777 on payloads dropped in world-writable directories (/tmp, /dev/shm, /var/tmp), chattr +i to make persistence mechanisms immutable and undeletable, setuid bit setting (chmod 4755/+s) for privilege escalation, and chown root to escalate file ownership. Threat actors including TeamTNT, Rocke, Kinsing, APT32, and Black Basta have all leveraged these commands to prepare and protect malicious binaries. This technique frequently precedes or accompanies persistence (T1546.004 shell config modification, T1574 hijack execution flow) and execution techniques.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Sub-technique
- T1222.002 Linux and Mac File and Directory Permissions Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1222/002/
Sumo Detection Query
(_sourceCategory=linux* OR _sourceCategory=*audit* OR _sourceCategory=*syslog*)
| where _raw matches /chmod|chown|chattr|setfacl/
| parse regex "(?:a0|cmd|process)=(?<process_cmd>[^\s=,;]+)" nodrop
| parse regex "a[1-3]=(?<args>[^\n]+)" nodrop
| where process_cmd in ("chmod", "chown", "chattr", "setfacl",
"/bin/chmod", "/usr/bin/chmod",
"/bin/chown", "/usr/bin/chown",
"/usr/bin/chattr", "/sbin/chattr")
| if (isNull(args), process_cmd, concat(process_cmd, " ", args)) as full_cmdline
| if (full_cmdline matches "*4755*" OR full_cmdline matches "*4777*"
OR full_cmdline matches "*6755*" OR full_cmdline matches "*6777*"
OR full_cmdline matches "*+s*" OR full_cmdline matches "*7777*", 1, 0) as ChmodSuid
| if (full_cmdline matches "*777*" OR full_cmdline matches "*a+w*"
OR full_cmdline matches "*o+w*" OR full_cmdline matches "*0777*", 1, 0) as ChmodWorldWritable
| if ((full_cmdline matches "*+x*" OR full_cmdline matches "*a+x*" OR full_cmdline matches "*o+x*")
AND (full_cmdline matches "*/tmp/*" OR full_cmdline matches "*/dev/shm/*"
OR full_cmdline matches "*/var/tmp/*"), 1, 0) as ChmodExecutable
| if (process_cmd matches "*chattr*" AND full_cmdline matches "* +i*", 1, 0) as ChattrImmutable
| if (process_cmd matches "*chattr*" AND full_cmdline matches "* -i *", 1, 0) as ChattrUnlock
| if (process_cmd matches "*chown*" AND
(full_cmdline matches "*root:*" OR full_cmdline matches "*:root*"), 1, 0) as ChownToRoot
| if (full_cmdline matches "*/tmp/*" OR full_cmdline matches "*/dev/shm/*"
OR full_cmdline matches "*/etc/cron*" OR full_cmdline matches "*/etc/systemd*"
OR full_cmdline matches "*/.ssh/*" OR full_cmdline matches "*/etc/passwd*"
OR full_cmdline matches "*/etc/shadow*" OR full_cmdline matches "*/etc/sudoers*", 1, 0) as SuspiciousPath
| if (full_cmdline matches "* -R *" OR full_cmdline matches "*--recursive*", 1, 0) as RecursiveChange
| ChmodSuid*4 + ChmodWorldWritable*3 + ChmodExecutable*2
+ ChattrImmutable*4 + ChattrUnlock*2 + ChownToRoot*3
+ SuspiciousPath*1 + RecursiveChange*1 as RiskScore
| where RiskScore > 0
| fields _messageTime, _sourceHost, user, process_cmd, full_cmdline,
ChmodSuid, ChmodWorldWritable, ChmodExecutable,
ChattrImmutable, ChattrUnlock, ChownToRoot,
SuspiciousPath, RecursiveChange, RiskScore
| sort by RiskScore descSumo Logic query detecting T1222.002 Linux permission modification using a weighted risk-scoring model that mirrors the SPL baseline. Parses auditd EXECVE records and syslog process events from Linux source categories to reconstruct full command lines, then scores each event across eight behavioral indicators (SUID, world-writable, executable-in-staging, chattr immutable, chattr unlock, chown root, sensitive path, recursive flag). Events with any nonzero risk score are surfaced, sorted by descending risk.
Data Sources
Required Tables
False Positives & Tuning
- Infrastructure-as-code provisioning tools (Terraform provisioners, Ansible tasks) executing permission changes as part of host bootstrap playbooks during first-boot or re-provisioning
- Package post-install hooks (pip, npm, cargo, gem, go install) invoking chmod on newly placed binaries in /usr/local/bin or project-local directories
- Container startup scripts (entrypoint.sh, init.sh) that stage files in /tmp and set executable permissions before moving them to their final runtime path inside the container
Other platforms for T1222.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1chmod +x on Payload in /tmp (Executable Staging)
Expected signal: auditd EXECVE record with a0=chmod, a1=+x, a2=/tmp/df00tech_test_payload.sh. Sysmon for Linux Event ID 1 (Process Create) with Image=/usr/bin/chmod, CommandLine='chmod +x /tmp/df00tech_test_payload.sh', ParentImage=/usr/bin/bash. MDE DeviceProcessEvents with FileName=chmod, ProcessCommandLine containing '+x' and '/tmp/'.
- Test 2chattr +i Immutable Flag (Malware Persistence Protection)
Expected signal: auditd EXECVE record with a0=chattr, a1=+i, a2=/tmp/df00tech_immutable_test.bin, uid=0. Sysmon for Linux Event ID 1 with Image=/usr/bin/chattr, CommandLine='chattr +i /tmp/df00tech_immutable_test.bin'. MDE DeviceProcessEvents with FileName=chattr, ProcessCommandLine containing '+i'.
- Test 3chmod 4755 Setuid Binary Creation (Privilege Escalation Enablement)
Expected signal: auditd SYSCALL record with syscall=268 (fchmodat), mode=0x89ED (4755 octal). EXECVE record with a0=chmod, a1=4755, a2=/tmp/df00tech_suid_test. MDE DeviceProcessEvents with ProcessCommandLine containing '4755'. The file will appear with 's' in ls -la output: -rwsr-xr-x.
- Test 4chown root Ownership Transfer (Ownership Hijacking)
Expected signal: auditd SYSCALL record with syscall=260 (fchownat), uid=0. EXECVE record with a0=chown, a1=root:root, a2=/tmp/df00tech_chown_test.bin. MDE DeviceProcessEvents with FileName=chown, ProcessCommandLine containing 'root:root' and '/tmp/'.
- Test 5chmod 777 World-Writable Directory (Lateral Movement Staging)
Expected signal: auditd EXECVE record with a0=chmod, a1=777, a2=/tmp/df00tech_staging_dir. Sysmon for Linux Event ID 1 with CommandLine='chmod 777 /tmp/df00tech_staging_dir'. MDE DeviceProcessEvents with ProcessCommandLine containing '777' and '/tmp/'.
References (12)
- https://attack.mitre.org/techniques/T1222/002/
- https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
- https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
- https://blog.trendmicro.com/trendlabs-security-intelligence/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger/
- https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/coathanger/COATHANGER+TLP-CLEAR.pdf
- https://www.uptycs.com/blog/black-basta-ransomware-goes-after-esxi-servers
- https://research.checkpoint.com/2017/dok-malware-gains-root-privileges-on-macs-installs-new-root-certificate-and-patches-systems-proxy/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/linux
- https://linux.die.net/man/1/chattr
- https://www.man7.org/linux/man-pages/man2/chmod.2.html
Unlock Pro Content
Get the full detection package for T1222.002 including response playbook, investigation guide, and atomic red team tests.