File Made Executable via Chmod Inside A Container

edit

File Made Executable via Chmod Inside A Container

edit

This rule detects when chmod is used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container.

Rule type: eql

Rule indices:

  • logs-cloud_defend*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Data Source: Elastic Defend for Containers
  • Domain: Container
  • OS: Linux
  • Use Case: Threat Detection
  • Tactic: Execution
  • Tactic: Defense Evasion

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
file where container.id: "*" and event.type in ("change", "creation") and

/*account for tools that execute utilities as a subprocess, in this case the target utility name will appear as a process arg*/
(process.name : "chmod" or process.args : "chmod") and
process.args : ("*x*", "777", "755", "754", "700") and not process.args: "-x"

Framework: MITRE ATT&CKTM