Bash Shell Profile Modification
Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files
11are executed in a user's context, either interactively or non-interactively, when a user logs in so that their
12environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content
13triggered by a user’s shell.
14"""
15false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."]
16from = "now-9m"
17index = ["logs-endpoint.events.*", "auditbeat-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Bash Shell Profile Modification"
21references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"]
22risk_score = 47
23rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: macOS",
28 "OS: Linux",
29 "Use Case: Threat Detection",
30 "Tactic: Persistence",
31 "Data Source: Elastic Defend",
32]
33timestamp_override = "event.ingested"
34type = "query"
35
36query = '''
37event.category:file and event.type:change and
38 process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or
39 launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or
40 dnf-automatic or git or dpkg or platform-python)) and
41 not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and
42 file.path:(/private/etc/rc.local or
43 /etc/rc.local or
44 /home/*/.profile or
45 /home/*/.profile1 or
46 /home/*/.bash_profile or
47 /home/*/.bash_profile1 or
48 /home/*/.bashrc or
49 /Users/*/.bash_profile or
50 /Users/*/.zshenv)
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56[[rule.threat.technique]]
57id = "T1546"
58name = "Event Triggered Execution"
59reference = "https://attack.mitre.org/techniques/T1546/"
60[[rule.threat.technique.subtechnique]]
61id = "T1546.004"
62name = "Unix Shell Configuration Modification"
63reference = "https://attack.mitre.org/techniques/T1546/004/"
64
65
66
67[rule.threat.tactic]
68id = "TA0003"
69name = "Persistence"
70reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
Cyber threat researchers from Anomali Labs have discovered a new malware, called “Linux Rabbit and Rabbot,” that targeted Linux servers and IoT devices.
Read More
Related rules
- Modification of Standard Authentication Module or Configuration
- SSH Authorized Keys File Modification
- Attempt to Enable the Root Account
- Authorization Plugin Modification
- Creation of Hidden Launch Agent or Daemon