title: Linux and Mac File and Directory Permissions Modification (T1222.002)
id: df00tech-t1222-002
status: experimental
description: "Adversaries modify file or directory permissions on Linux and macOS systems using chmod, chown, and chattr to evade access controls and enable further malicious activity. Common patterns include chmod +x or chmod 777 on payloads dropped in world-writable directories (/tmp, /dev/shm, /var/tmp), chattr +i to make persistence mechanisms immutable and undeletable, setuid bit setting (chmod 4755/+s) for privilege escalation, and chown root to escalate file ownership. Threat actors including TeamTNT, Rocke, Kinsing, APT32, and Black Basta have all leveraged these commands to prepare and protect malicious binaries. This technique frequently precedes or accompanies persistence (T1546.004 shell config modification, T1574 hijack execution flow) and execution techniques."
references:
  - https://attack.mitre.org/techniques/T1222/002/
  - https://df00tech.com/detections/T1222.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1222.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Software package managers (apt, yum, dnf, brew) applying permissions during installation or upgrade"
  - "CI/CD pipelines (Jenkins, GitLab Runner, GitHub Actions self-hosted) making scripts executable as part of build steps"
  - System administrators using chmod +x on deployment scripts or configuration files
  - Container entrypoint scripts that set file permissions during container initialization
  - Backup and restore operations using chown to restore original file ownership
  - Developer workstations where users frequently adjust file permissions for local development
level: medium