LoFP / user interacting with files permissions (normal/daily behaviour).

Techniques

• t1222
• t1222.002

Sample rules

File or Folder Permissions Change

• source: sigma
• technicques:
  • t1222
  • t1222.002

Description

Detects file and folder permission changes.

Detection logic

condition: selection
selection:
  a0|contains:
  - chmod
  - chown
  type: EXECVE