DET0351: Unix-like File Permission Manipulation Behavioral Chain Detection Strategy
This detection strategy matters because it is tied to adversary manipulation of Linux and macOS file or directory permissions to weaken access controls and...
Analyst context for executives and security teams
This detection strategy matters because it is tied to adversary manipulation of Linux and macOS file or directory permissions to weaken access controls and reach protected files. For leaders, the practical issue is not just a file mode change; it is whether the organization can prove that critical Unix-like systems, sensitive directories, and privileged access paths are being monitored for defense-impairing changes.
Executive priority
Prioritize this where Linux or macOS systems support business-critical services, regulated data, development pipelines, or administrative jump points. Security leaders should ask whether permission and attribute changes on sensitive files are logged, reviewed, and tied to incident response decisions. This is also useful compliance evidence: it shows whether access-control integrity is monitored rather than only configured once.
Technical view
The ATT&CK object has no official description or detection text, so implementation should be driven by its relationship to T1222.002, Linux and Mac Permissions, under defense impairment. SOC and detection teams should validate visibility into file and directory permission or attribute changes on Linux and macOS, especially when performed by privileged accounts, against protected paths, or in sequences that suggest access-control weakening. Treat this as behavioral-chain detection rather than a single-event rule: baseline expected administrative, deployment, backup, and update activity before alerting on deviations.
Likely telemetry
- Linux and macOS file and directory permission or attribute change events
- Audit or endpoint telemetry showing the user, process, target path, and timestamp of permission changes
- Privileged account activity associated with access-control changes
- File integrity or configuration monitoring records for sensitive paths
- Change-management or administrative maintenance records for false-positive review
Detection direction
- Confirm that telemetry captures both the actor and the affected file or directory, not only that a change occurred.
- Tune detections around sensitive paths, privileged users, unexpected ownership or permission changes, and sequences of changes that weaken access control.
- Account for legitimate noise from system updates, software deployment, backups, and administrator maintenance.
- Use the related technique context, T1222.002, to focus on Linux and macOS environments; do not assume coverage for platforms not represented in the relationship.
- Validate alert triage can answer whether the change enabled access to protected files or impaired existing controls.
Mitigation priorities
- Define and maintain expected permissions for critical files, directories, and application paths.
- Apply least privilege so only approved users or groups can change sensitive permissions or attributes.
- Use change control for administrative permission changes on important systems.
- Monitor and review deviations from approved permission baselines.
- Prepare IR procedures to restore known-good permissions and investigate the account, process, and host involved.
Analyst notes and limits
DET0351 is a detection strategy object, but the supplied ATT&CK fields do not include official detection logic. The strongest supported context is the detects relationship to T1222.002, Linux and Mac Permissions, which describes adversaries modifying file or directory permissions or attributes to evade ACLs and access protected files.
Platforms and tactics are not specified on the detection-strategy object itself; Linux, macOS, and defense impairment come from the related technique. Local file-system layout, administrative practices, logging configuration, and critical path definitions are required before this can be converted into reliable detections.
Unix-like File Permission Manipulation Behavioral Chain Detection Strategy
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1222.002 | Linux and Mac Permissions Sub-technique | This object detects Linux and Mac Permissions. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 723eae0a0670… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0351Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.