Chmod Suspicious Directory

 1title: Chmod Suspicious Directory
 2id: 6419afd1-3742-47a5-a7e6-b50386cd15f8
 3status: test
 4description: Detects chmod targeting files in abnormal directory paths.
 5references:
 6    - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md
 8author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io'
 9date: 2022-06-03
10tags:
11    - attack.defense-evasion
12    - attack.t1222.002
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        Image|endswith: '/chmod'
19        CommandLine|contains:
20            - '/tmp/'
21            - '/.Library/'
22            - '/etc/'
23            - '/opt/'
24    condition: selection
25falsepositives:
26    - Admin changing file permissions.
27level: medium

References

• New SysJoker Backdoor Targets Windows, Linux, and macOS

  

  In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux that we have named SysJoker.

  
  Read More

• atomic-red-team/atomics/T1222.002/T1222.002.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

Related rules

• File or Folder Permissions Change
• Remove Immutable File Attribute
• Remove Immutable File Attribute - Auditd
• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application