IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
File Permission Modification in Writable Directory
edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.
File Permission Modification in Writable Directory
editIdentifies file permission modifications in common writable directories by a non-root user. Adversaries often drop files or payloads into a writable directory and change permissions prior to execution.
Rule type: new_terms
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References: None
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Defense Evasion
- Data Source: Elastic Defend
Version: 207
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edithost.os.type:linux and event.category:process and event.type:start and process.name:(chmod or chown or chattr or chgrp) and process.working_directory:("/tmp" or "/var/tmp" or "/dev/shm")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
-
Technique:
- Name: File and Directory Permissions Modification
- ID: T1222
- Reference URL: https://attack.mitre.org/techniques/T1222/
Was this helpful?
Thank you for your feedback.