File Made Executable via Chmod Inside A Container

Last updated 5 months ago on 2025-03-12

Created 5 months ago on 2025-03-12

About

This rule detects when chmod or chown are used to add the execute permission to a file inside a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container.

Tags

Domain: ContainerOS: LinuxUse Case: Threat DetectionTactic: ExecutionTactic: Defense EvasionData Source: Elastic DefendLanguage: eql

Severity

low

Risk Score

MITRE ATT&CK™

Execution (TA0002)(opens in a new tab or window)

↳ Command and Scripting Interpreter (T1059)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

↳ File and Directory Permissions Modification (T1222)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.entry_leader.entry_meta.type == "container" and process.name in ("chmod", "chown") and
process.args in ("4755", "755", "000", "777", "444", "-x", "+x")

Install detection rules in Elastic Security

Detect File Made Executable via Chmod Inside A Container in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).