1. Home
  2. Detection Strategies
  3. Multi-Platform File and Directory Permissions Modification Detection Strategy

Multi-Platform File and Directory Permissions Modification Detection Strategy

Technique Detected:  File and Directory Permissions Modification | T1222

ID: DET0299
Domains: Enterprise
Analytics: AN0834, AN0835, AN0836, AN0837
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0834

Sequential behavioral chain of privilege escalation through permission modification: (1) Process creation of permission-modifying utilities (icacls, takeown, attrib, cacls), (2) Correlation with unusual user context or timing, (3) DACL modification events targeting sensitive files/directories, (4) Subsequent file access or modification attempts indicating successful privilege bypass

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
File Metadata (DC0059) WinEventLog:Security EventCode=4670
Active Directory Object Modification (DC0066) WinEventLog:Security EventCode=4663
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103,4104
Mutable Elements
Field Description
TimeWindow Temporal correlation window for linking permission modification with subsequent access attempts (default: 300 seconds)
SensitivePathList Environment-specific critical file and directory paths requiring permission change monitoring
TrustedUserContext Administrative accounts authorized to perform legitimate permission modifications
BusinessHoursThreshold Time-based threshold for elevated alerting on permission changes outside business hours

AN0835

Behavioral sequence of unauthorized privilege escalation via permission modification: (1) chmod/chown/setfacl process execution with suspicious parameters, (2) Targeting of critical system files or unusual permission values, (3) Correlation with non-privileged user context or unusual timing patterns, (4) Follow-on file access indicating successful permission bypass

Log Sources
Data Component Name Channel
File Metadata (DC0059) auditd:SYSCALL syscall in (chmod, fchmod, fchmodat, chown, fchown, fchownat, setxattr, lsetxattr, fsetxattr)
Command Execution (DC0064) auditd:PROCTITLE proctitle contains chmod, chown, setfacl, or attr commands with suspicious parameters
Mutable Elements
Field Description
SuspiciousPermissionValues Octal permission values that indicate potential malicious intent (default: 777, 755, 4755)
CriticalPathPatterns Linux filesystem paths requiring enhanced monitoring (/etc/, /usr/bin/, /home/)
AuthorizedAdminUsers User accounts permitted to perform system-level permission modifications
AnomalyThreshold Statistical threshold for detecting unusual permission modification frequency

AN0836

macOS-specific permission modification behavioral chain: (1) chmod/chown/chflags process execution, (2) System Integrity Protection (SIP) bypass attempts, (3) Extended attribute (xattr) modifications, (4) Unified log correlation with file system events, (5) Subsequent access to previously restricted resources

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process execution events for chmod, chown, chflags with unusual parameters or targets
File Metadata (DC0059) fs:fsevents file system events indicating permission or attribute changes
Mutable Elements
Field Description
SIPProtectedPaths macOS system paths protected by SIP that should never have permission modifications
SuspiciousFlagCombinations chflags parameter combinations indicating evasive behavior (uchg, schg, hidden)
XattrMonitoringScope Extended attributes to monitor for unauthorized modifications
UnifiedLogRetention Log retention period for correlating permission changes with subsequent access

AN0837

ESXi hypervisor permission modification behavioral chain: (1) SSH access to ESXi host, (2) chmod/chown execution on VMFS datastore files or system configuration, (3) Modification of VM configuration files (.vmx) or virtual disk permissions, (4) Hostd service log correlation, (5) vCenter permission change events if centrally managed

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:shell shell command execution for chmod, chown, or file permission modification on VMFS or system files
File Metadata (DC0059) esxi:hostd host daemon events related to file or VM permission changes
Active Directory Object Modification (DC0066) esxi:vpxd permission change operations on datastores or VMs
Mutable Elements
Field Description
AuthorizedSSHUsers ESXi user accounts authorized for shell access and file system operations
CriticalVMFSPaths VMFS datastore paths requiring permission change monitoring
ShellAccessTimeWindow Time correlation window for linking SSH access with permission modifications
vCenterIntegrationScope Scope of vCenter audit event correlation with ESXi host activities