Chmod Activity Targeting Sensitive Linux Directories
Attackers may use chmod to modify file permissions within sensitive Linux directories such as /tmp/, /etc/, and /opt/ to maintain persistence, escalate privileges, or disrupt system operations.
Attackers may leverage the chmod command on Linux systems to modify file permissions in sensitive directories. This can be used to establish persistence by altering permissions of startup scripts or cron jobs, escalate privileges by modifying permissions of sensitive binaries or configuration files, or disrupt system operations by restricting access to critical system resources. The referenced SysJoker malware has been observed using similar techniques. Detecting anomalous chmod activity…
Detection coverage 2
Chmod Targeting Sensitive Directories
mediumDetects chmod targeting files in sensitive directory paths on Linux systems.
Chmod to executable on /tmp directory
mediumDetects chmod to make files executable in /tmp.
Detection queries are kept inside the platform. Get full rules →