Techniques
Sample rules
File Permission Modification in Writable Directory
- source: elastic
- technicques:
- T1222
Description
Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.
Detection logic
host.os.type:"linux" and event.category:process and event.type:"start" and event.action:"exec" and
process.name:("chattr" or "chgrp" or "chmod") and process.working_directory:("/dev/shm" or "/tmp" or "/var/tmp") and
not (
process.args:(
"+r" or "640" or /tmp/apt-key-gpghome* or "/usr/bin/coreutils" or "/opt/eset/eei/uninstall.sh" or /tmp/era.repository.*.bin
) or
process.parent.args:"/var/illumio_pce/illumio/scripts/consul" or
process.parent.name:(
apt-key or update-motd-updates-available or apt-get or java or pilot or PassengerAgent or nginx
) or
process.parent.executable:(
"/usr/local/bin/afb-ssh-setup-keys.sh" or "/usr/local/bin/afb-ssh-setup-keys.sh" or "/opt/puppetlabs/puppet/bin/ruby" or
"/usr/sbin/update-exim4.conf" or "/bin/dracut"
)
)