AN0835: Analytic 0835
Behavioral sequence of unauthorized privilege escalation via permission modification: (1) chmod/chown/setfacl process execution with suspicious parameters, (2) Targeting of critical system files or unusual permission values, (3) Correlation with non-privileged user context or unusual timing patterns, (4) Follow-on file access indicating successful permission bypass
Analyst context for executives and security teams
AN0835 is a Linux-focused detection analytic for spotting suspicious permission changes that may allow a non-privileged user to access or control files they should not. Its business value is in validating whether the organization can see risky changes to critical system files before they become an incident response problem, compliance gap, or operational resilience issue.
Executive priority
Leaders should treat this as a control-validation item for Linux privilege and file integrity risk. The key question is not whether chmod, chown, or setfacl are used — they are normal administrative tools — but whether security teams can distinguish authorized administration from suspicious permission modification against sensitive files, especially when followed by access that suggests a permission bypass. This supports audit evidence, incident triage readiness, and prioritization of Linux logging and file integrity controls.
Technical view
For SOC, detection engineering, and IR teams, validate visibility into Linux process execution for chmod, chown, and setfacl, including command parameters, target paths, user context, and timing. The analytic described by MITRE depends on sequencing: suspicious permission-modification commands, critical system file targets or unusual permission values, correlation to non-privileged users or unusual timing, and follow-on file access. Because no official detection logic is supplied, teams should build and tune locally against known administrative baselines and sensitive file inventories.
Likely telemetry
- Linux process execution events including command name and arguments
- User context for process execution, especially privileged versus non-privileged users
- File path and permission/ownership change evidence for critical system files
- File access events after permission changes
- Timestamp and scheduling context to identify unusual timing patterns
Detection direction
- Confirm collection of command-line arguments for chmod, chown, and setfacl on Linux systems.
- Tune against legitimate administrative workflows to reduce false positives from patching, configuration management, and system maintenance.
- Prioritize alerts where permission changes target critical system files or use unusual permission values.
- Correlate permission modification events with non-privileged user context and subsequent file access to increase confidence.
- Identify blind spots where endpoint logging, audit policy, or file access monitoring does not capture the full sequence described by the analytic.
Mitigation priorities
- Define and maintain an inventory of critical Linux system files and expected permissions.
- Enforce least privilege for users and administrative accounts on Linux systems.
- Use change control and configuration management baselines to identify unauthorized permission drift.
- Ensure Linux endpoint logging or audit configuration captures process execution, command arguments, permission changes, and relevant file access.
- Document detection logic and evidence retention to support incident response and compliance readiness.
Analyst notes and limits
This object is a detection analytic, not a full ATT&CK technique entry. It has no supplied tactics, no relationships, and no official detection implementation. The practical value is in validating whether the organization can observe and correlate the described Linux permission-modification sequence in its own environment.
The supplied ATT&CK fields only support Linux scope and the behavioral sequence in the official description. No relationship context, adversary usage, impact claims, or ready-to-run detection logic is provided, so local asset criticality, baselines, and telemetry coverage are required before operationalizing.
Analytic 0835
Behavioral sequence of unauthorized privilege escalation via permission modification: (1) chmod/chown/setfacl process execution with suspicious parameters, (2) Targeting of critical system files or unusual permission values, (3) Correlation with non-privileged user context or unusual timing patterns, (4) Follow-on file access indicating successful permission bypass
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6f5cc31784e9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0835Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.