admin changing file permissions.

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml>sigma
technicques: t1222 t1222.002

Techniques

Detects chmod targeting files in abnormal directory paths.

condition: selection
selection:
  CommandLine|contains:
  - /tmp/
  - /.Library/
  - /etc/
  - /opt/
  Image|endswith: /chmod