Techniques
Sample rules
File Permission Modification in Writable Directory
- source: elastic
- technicques:
- T1222
Description
Identifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.
Detection logic
host.os.type:linux and event.category:process and event.type:start and
process.name:(chattr or chgrp or chmod or chown) and process.working_directory:(/dev/shm or /tmp or /var/tmp) and
not process.parent.name:(apt-key or update-motd-updates-available or apt-get)