Bash Shell Profile Modification

calendar Sep 5, 2023 · Domain: Endpoint OS: macOS OS: Linux Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Defend  ·
Share on: linkedin copy

Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/19"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files
13are executed in a user's context, either interactively or non-interactively, when a user logs in so that their
14environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content
15triggered by a user’s shell.
16"""
17false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."]
18from = "now-9m"
19index = ["logs-endpoint.events.*", "auditbeat-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Bash Shell Profile Modification"
23references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"]
24risk_score = 47
25rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.category:file and event.type:change and
33  process.name:(* and not (sudo or
34                           vim or
35                           zsh or
36                           env or
37                           nano or
38                           bash or
39                           Terminal or
40                           xpcproxy or
41                           login or
42                           cat or
43                           cp or
44                           launchctl or
45                           java)) and
46  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and
47  file.path:(/private/etc/rc.local or
48             /etc/rc.local or
49             /home/*/.profile or
50             /home/*/.profile1 or
51             /home/*/.bash_profile or
52             /home/*/.bash_profile1 or
53             /home/*/.bashrc or
54             /Users/*/.bash_profile or
55             /Users/*/.zshenv)
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1546"
63name = "Event Triggered Execution"
64reference = "https://attack.mitre.org/techniques/T1546/"
65[[rule.threat.technique.subtechnique]]
66id = "T1546.004"
67name = "Unix Shell Configuration Modification"
68reference = "https://attack.mitre.org/techniques/T1546/004/"
69
70
71
72[rule.threat.tactic]
73id = "TA0003"
74name = "Persistence"
75reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top