Chmod Targeting Sensitive Directories

 1title: Chmod Targeting Sensitive Directories
 2id: 6419afd1-3742-47a5-a7e6-b50386cd15f8
 3status: test
 4description: |
 5    Detects chmod targeting files in sensitive directory paths on Linux systems.
 6    Attackers may use chmod to change permissions of files in these directories to maintain persistence, escalate privileges, or disrupt system operations.    
 7references:
 8    - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
10author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
11date: 2022-06-03
12modified: 2026-03-18
13tags:
14    - attack.defense-impairment
15    - attack.t1222.002
16logsource:
17    product: linux
18    category: process_creation
19detection:
20    selection:
21        Image|endswith: '/chmod'
22        CommandLine|contains:
23            - '/tmp/'
24            - '/.Library/'
25            - '/etc/'
26            - '/opt/'
27    filter_main_update_shells:
28        CommandLine|contains: 'chmod --reference=/etc/shells'
29        ParentCommandLine|endswith: '/update-shells'
30    filter_main_postinst:
31        CommandLine|contains: '/etc/'
32        ParentCommandLine|contains|all:
33            - '/var/lib/dpkg/info/'
34            - '.postinst configure'
35    filter_main_apt_key:
36        CommandLine|startswith: 'chmod 700 /tmp/apt-key-gpghome.'
37    filter_main_mkinitramfs:
38        CommandLine|startswith: 'chmod 755 /var/tmp/mkinitramfs'
39    filter_main_landscape:
40        CommandLine: 'chmod 0775 /etc/landscape/'
41    filter_main_ubuntu_apparmor:
42        CommandLine: 'chmod 644 /etc/apparmor.d/tunables/home.d/ubuntu'
43    condition: selection and not 1 of filter_main_*
44falsepositives:
45    - Some false positives are to be expected. Apply additional filters as needed before pushing to production.
46level: medium