File Made Executable via Chmod Inside A Container

  1[metadata]
  2creation_date = "2025/03/12"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/12"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule detects when chmod or chown are used to add the execute permission to a file inside a container. Modifying file
 11permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized
 12or malicious code inside the container.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "File Made Executable via Chmod Inside A Container"
 19risk_score = 21
 20rule_id = "30d94e59-e5c7-4828-bc4f-f5809ad1ffe1"
 21setup = """## Setup
 22
 23This rule requires data coming in from Elastic Defend.
 24
 25### Elastic Defend Integration Setup
 26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 27
 28#### Prerequisite Requirements:
 29- Fleet is required for Elastic Defend.
 30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 31
 32#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
 33- Go to the Kibana home page and click "Add integrations".
 34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 35- Click "Add Elastic Defend".
 36- Configure the integration name and optionally add a description.
 37- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 41
 42For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
 43- Click "Save and Continue".
 44- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 45For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 46"""
 47severity = "low"
 48tags = [
 49    "Domain: Container",
 50    "OS: Linux",
 51    "Use Case: Threat Detection",
 52    "Tactic: Execution",
 53    "Tactic: Defense Evasion",
 54    "Data Source: Elastic Defend",
 55    "Resources: Investigation Guide",
 56]
 57timestamp_override = "event.ingested"
 58type = "eql"
 59query = '''
 60process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
 61process.entry_leader.entry_meta.type == "container" and process.name in ("chmod", "chown") and
 62process.args in ("4755", "755", "000", "777", "444", "-x", "+x")
 63'''
 64note = """## Triage and analysis
 65
 66> **Disclaimer**:
 67> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 68
 69### Investigating File Made Executable via Chmod Inside A Container
 70
 71Containers provide isolated environments for running applications, often on Linux systems. The `chmod` command is used to change file permissions, including making files executable. Adversaries may exploit this by altering permissions to execute unauthorized scripts or binaries, potentially leading to malicious activity. The detection rule identifies such actions by monitoring for `chmod` usage that grants execute permissions, focusing on specific permission patterns, and excluding benign cases. This helps in identifying potential threats where attackers attempt to execute unauthorized code within containers.
 72
 73### Possible investigation steps
 74
 75- Examine the process arguments to determine the exact permissions that were set and identify the file that was made executable.
 76- Investigate the origin of the `chmod` command by reviewing the process tree to understand which parent process initiated it and whether it aligns with expected behavior.
 77- Check the user account or service account that executed the `chmod` command to assess if it has legitimate access and reason to modify file permissions.
 78- Analyze the file that was made executable to determine its contents and origin, checking for any signs of unauthorized or malicious code.
 79- Correlate this event with other logs or alerts from the same container to identify any patterns or additional suspicious activities that might indicate a broader attack.
 80
 81### False positive analysis
 82
 83- Routine maintenance scripts or automated processes may use chmod to set execute permissions on files within containers. To handle these, identify and whitelist specific scripts or processes that are known to be safe and necessary for operations.
 84- Development environments often involve frequent changes to file permissions as developers test and deploy code. Consider excluding specific container IDs or paths associated with development environments to reduce noise.
 85- Some container orchestration tools might use chmod as part of their normal operation. Review the processes and arguments associated with these tools and create exceptions for known benign activities.
 86- System updates or package installations within containers might trigger this rule. Monitor and document regular update schedules and processes, and exclude these from triggering alerts if they are verified as non-threatening.
 87- If certain users or roles are responsible for legitimate permission changes, consider excluding their activities by user ID or role, ensuring that these exclusions are well-documented and reviewed regularly.
 88
 89### Response and remediation
 90
 91- Immediately isolate the affected container to prevent further execution of unauthorized code. This can be done by stopping the container or disconnecting it from the network.
 92- Conduct a thorough review of the container's file system to identify any unauthorized or suspicious files that have been made executable. Remove or quarantine these files as necessary.
 93- Analyze the container's logs to trace the source of the `chmod` command and determine if there are any other indicators of compromise or related malicious activities.
 94- If the unauthorized execution is confirmed, assess the potential impact on the host system and other containers. Implement additional security measures, such as enhanced monitoring or network segmentation, to protect other assets.
 95- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign.
 96- Review and update container security policies to prevent unauthorized permission changes, such as implementing stricter access controls and using security tools that enforce policy compliance.
 97- Enhance detection capabilities by configuring alerts for similar suspicious activities, ensuring that any future attempts to modify file permissions within containers are promptly identified and addressed."""
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1059"
104name = "Command and Scripting Interpreter"
105reference = "https://attack.mitre.org/techniques/T1059/"
106
107[rule.threat.tactic]
108id = "TA0002"
109name = "Execution"
110reference = "https://attack.mitre.org/tactics/TA0002/"
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114
115[[rule.threat.technique]]
116id = "T1222"
117name = "File and Directory Permissions Modification"
118reference = "https://attack.mitre.org/techniques/T1222/"
119
120[[rule.threat.technique.subtechnique]]
121id = "T1222.002"
122name = "Linux and Mac File and Directory Permissions Modification"
123reference = "https://attack.mitre.org/techniques/T1222/002/"
124
125[rule.threat.tactic]
126id = "TA0005"
127name = "Defense Evasion"
128reference = "https://attack.mitre.org/tactics/TA0005/"