Bash Shell Profile Modification

  1[metadata]
  2creation_date = "2021/01/19"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files
 11are executed in a user's context, either interactively or non-interactively, when a user logs in so that their
 12environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content
 13triggered by a user’s shell.
 14"""
 15false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."]
 16from = "now-9m"
 17index = ["logs-endpoint.events.*", "auditbeat-*"]
 18language = "kuery"
 19license = "Elastic License v2"
 20name = "Bash Shell Profile Modification"
 21references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"]
 22risk_score = 47
 23rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
 24severity = "medium"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: macOS",
 28    "OS: Linux",
 29    "Use Case: Threat Detection",
 30    "Tactic: Persistence",
 31    "Data Source: Elastic Defend",
 32    "Resources: Investigation Guide",
 33]
 34timestamp_override = "event.ingested"
 35type = "query"
 36
 37query = '''
 38event.category:file and event.type:change and
 39  process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or
 40  launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or
 41  dnf-automatic or git or dpkg or platform-python)) and
 42  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and
 43  file.path:(/private/etc/rc.local or
 44             /etc/rc.local or
 45             /home/*/.profile or
 46             /home/*/.profile1 or
 47             /home/*/.bash_profile or
 48             /home/*/.bash_profile1 or
 49             /home/*/.bashrc or
 50             /Users/*/.bash_profile or
 51             /Users/*/.zshenv)
 52'''
 53note = """## Triage and analysis
 54
 55> **Disclaimer**:
 56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 57
 58### Investigating Bash Shell Profile Modification
 59
 60Bash shell profiles, such as `.bash_profile` and `.bashrc`, are scripts that configure user environments upon login. Adversaries exploit these by inserting malicious commands to ensure persistence, executing harmful scripts whenever a user initiates a shell session. The detection rule identifies unauthorized modifications by monitoring file changes and filtering out benign processes, focusing on unusual executables and paths to flag potential threats.
 61
 62### Possible investigation steps
 63
 64- Review the alert details to identify the specific file path that was modified, focusing on paths like /home/*/.bash_profile or /home/*/.bashrc.
 65- Examine the process name and executable that triggered the alert to determine if it is an unusual or unauthorized process, as specified in the query.
 66- Check the modification timestamp of the affected file to correlate with any known user activity or scheduled tasks.
 67- Investigate the contents of the modified Bash shell profile file to identify any suspicious or unexpected commands or scripts.
 68- Cross-reference the user account associated with the modified file to determine if the activity aligns with their typical behavior or if the account may be compromised.
 69- Look for any related alerts or logs around the same timeframe that might indicate a broader attack or persistence mechanism.
 70
 71### False positive analysis
 72
 73- Frequent use of text editors like vim or nano may trigger alerts when users legitimately modify their shell profiles. To mitigate this, consider excluding these processes from the detection rule if they are commonly used in your environment.
 74- Automated system updates or configuration management tools like dnf or yum might modify shell profiles as part of their operations. Exclude these processes if they are verified as part of routine maintenance.
 75- Development tools such as git or platform-python may alter shell profiles during setup or updates. If these tools are regularly used, add them to the exclusion list to prevent false positives.
 76- User-specific applications located in directories like /Applications or /usr/local may be flagged if they modify shell profiles. Verify these applications and exclude their paths if they are trusted and frequently used.
 77- Consider excluding specific user directories from monitoring if they are known to contain benign scripts that modify shell profiles, ensuring these exclusions are well-documented and reviewed regularly.
 78
 79### Response and remediation
 80
 81- Immediately isolate the affected system from the network to prevent further malicious activity and lateral movement.
 82- Terminate any suspicious processes identified in the alert that are not part of the allowed list, such as unauthorized executables modifying shell profiles.
 83- Restore the modified shell profile files (.bash_profile, .bashrc) from a known good backup to remove any malicious entries.
 84- Conduct a thorough review of user accounts and permissions on the affected system to ensure no unauthorized access or privilege escalation has occurred.
 85- Implement file integrity monitoring on critical shell profile files to detect and alert on future unauthorized changes.
 86- Escalate the incident to the security operations team for further investigation and to determine if additional systems are affected.
 87- Review and update endpoint protection policies to enhance detection capabilities for similar persistence techniques, leveraging MITRE ATT&CK framework references for T1546."""
 88
 89
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1546"
 94name = "Event Triggered Execution"
 95reference = "https://attack.mitre.org/techniques/T1546/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1546.004"
 98name = "Unix Shell Configuration Modification"
 99reference = "https://attack.mitre.org/techniques/T1546/004/"
100
101
102
103[rule.threat.tactic]
104id = "TA0003"
105name = "Persistence"
106reference = "https://attack.mitre.org/tactics/TA0003/"