File Made Executable via Chmod Inside A Container

This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/04/26"
 3integration = ["cloud_defend"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file
11permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized
12or malicious code inside the container.
13"""
14from = "now-6m"
15index = ["logs-cloud_defend*"]
16interval = "5m"
17language = "eql"
18license = "Elastic License v2"
19name = "File Made Executable via Chmod Inside A Container"
20risk_score = 47
21rule_id = "ec604672-bed9-43e1-8871-cf591c052550"
22severity = "medium"
23tags = [
24    "Data Source: Elastic Defend for Containers",
25    "Domain: Container",
26    "OS: Linux",
27    "Use Case: Threat Detection",
28    "Tactic: Execution",
29    "Tactic: Defense Evasion",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33
34query = '''
35file where container.id: "*" and event.type in ("change", "creation") and
36
37/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
38(process.name : "chmod" or process.args : "chmod") and 
39process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x"
40'''
41
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45[[rule.threat.technique]]
46id = "T1059"
47name = "Command and Scripting Interpreter"
48reference = "https://attack.mitre.org/techniques/T1059/"
49
50
51[rule.threat.tactic]
52id = "TA0002"
53name = "Execution"
54reference = "https://attack.mitre.org/tactics/TA0002/"
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1222"
59name = "File and Directory Permissions Modification"
60reference = "https://attack.mitre.org/techniques/T1222/"
61[[rule.threat.technique.subtechnique]]
62id = "T1222.002"
63name = "Linux and Mac File and Directory Permissions Modification"
64reference = "https://attack.mitre.org/techniques/T1222/002/"
65
66
67
68[rule.threat.tactic]
69id = "TA0005"
70name = "Defense Evasion"
71reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top