Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0998: Analytic 0998

Linux permission escalation behavioral chain: (1) Process creation of permission modification utilities (chmod, chown, chgrp, setfacl) with suspicious parameters indicating privilege escalation intent, (2) System call analysis revealing direct file metadata manipulation (chmod, fchmod, chown, fchown syscalls), (3) Extended attribute and ACL modifications targeting critical system paths, (4) Temporal correlation with subsequent file access or process execution from modified locations, (5) Anomalous permission patterns deviating from system baselines

EnterpriseAN0998AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN0998 is a Linux-focused detection analytic for suspicious permission and ownership changes that may enable privilege escalation or unauthorized execution. Its business value is in validating whether security teams can see when critical files or directories are made more permissive, reassigned, or altered through ACL/extended attribute changes before those changes lead to execution or access from modified locations.

Executive priority

Treat this as a control-validation item for Linux server resilience and incident readiness. Leaders should ask whether high-value Linux systems generate usable evidence for permission changes, syscall-level file metadata manipulation, and follow-on execution from modified paths. The priority is strongest where Linux hosts support critical applications, identity infrastructure, regulated workloads, or operational systems, because unauthorized permission drift can undermine hardening standards and complicate audit evidence.

Technical view

For SOC, detection engineering, and IR teams, validate coverage around Linux process creation for chmod, chown, chgrp, and setfacl with suspicious parameters; syscall evidence for chmod, fchmod, chown, and fchown; ACL and extended attribute changes affecting critical system paths; and temporal correlation between those changes and later file access or process execution. Because ATT&CK provides no separate detection text and no relationship context for this analytic, local baselines are essential to distinguish administrative maintenance from anomalous privilege-related behavior.

Likely telemetry

  • Linux process creation events for permission and ownership utilities such as chmod, chown, chgrp, and setfacl
  • Linux syscall or audit telemetry for chmod, fchmod, chown, and fchown activity
  • File metadata, ACL, and extended attribute change records
  • File access and process execution events from recently modified locations
  • Asset and path context identifying critical system paths

Detection direction

  • Confirm collection is present on Linux platforms; this analytic is not described for other platforms in the supplied ATT&CK fields.
  • Tune alerts around suspicious parameter use, sensitive path targeting, and unusual permission patterns rather than utility execution alone, which can be common in administration.
  • Correlate permission or ownership changes with subsequent access or execution to improve triage value.
  • Account for expected change windows, package management, deployment automation, and administrator activity as likely false-positive sources.
  • Review blind spots where endpoint logging lacks syscall visibility, ACL/extended attribute visibility, or enough retention to compare against baselines.

Mitigation priorities

  • Establish and document expected ownership, permission, ACL, and extended attribute baselines for critical Linux paths.
  • Limit administrative access capable of changing sensitive file permissions and ownership.
  • Monitor and review permission changes on critical systems, especially when followed by execution or access from modified locations.
  • Use change management context to separate approved maintenance from unexplained permission drift.
  • Ensure incident response playbooks include validation of recent Linux permission and ownership changes during privilege escalation investigations.
Analyst notes and limits

This take is based on the official AN0998 description, which frames a behavioral chain for Linux permission escalation involving permission utilities, direct metadata syscalls, ACL/extended attribute changes, temporal follow-on activity, and baseline deviation. No ATT&CK tactics, relationships, aliases, labels, or separate official detection text were supplied.

The source object is a detection analytic with sparse context. It does not specify tactics, related techniques, adversary use, impact, or guaranteed detection logic. Environment-specific asset criticality, logging configuration, normal administrative behavior, and baseline quality are required to determine priority and coverage.

Official MITRE ATT&CK definition

Analytic 0998

Linux permission escalation behavioral chain: (1) Process creation of permission modification utilities (chmod, chown, chgrp, setfacl) with suspicious parameters indicating privilege escalation intent, (2) System call analysis revealing direct file metadata manipulation (chmod, fchmod, chown, fchown syscalls), (3) Extended attribute and ACL modifications targeting critical system paths, (4) Temporal correlation with subsequent file access or process execution from modified locations, (5) Anomalous permission patterns deviating from system baselines

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cc2d25b1336149bc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cc2d25b13361…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0998
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use