Bash Shell Profile Modification
Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/09/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files
13are executed in a user's context, either interactively or non-interactively, when a user logs in so that their
14environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content
15triggered by a user’s shell.
16"""
17false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."]
18from = "now-9m"
19index = ["logs-endpoint.events.*", "auditbeat-*"]
20language = "kuery"
21license = "Elastic License v2"
22name = "Bash Shell Profile Modification"
23references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"]
24risk_score = 47
25rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
26severity = "medium"
27tags = ["Domain: Endpoint",
28 "OS: macOS",
29 "OS: Linux",
30 "Use Case: Threat Detection",
31 "Tactic: Persistence",
32 "Data Source: Elastic Defend"
33 ]
34timestamp_override = "event.ingested"
35type = "query"
36
37query = '''
38event.category:file and event.type:change and
39 process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or
40 launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or
41 dnf-automatic or git or dpkg or platform-python)) and
42 not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and
43 file.path:(/private/etc/rc.local or
44 /etc/rc.local or
45 /home/*/.profile or
46 /home/*/.profile1 or
47 /home/*/.bash_profile or
48 /home/*/.bash_profile1 or
49 /home/*/.bashrc or
50 /Users/*/.bash_profile or
51 /Users/*/.zshenv)
52'''
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56
57[[rule.threat.technique]]
58id = "T1546"
59name = "Event Triggered Execution"
60reference = "https://attack.mitre.org/techniques/T1546/"
61
62[[rule.threat.technique.subtechnique]]
63id = "T1546.004"
64name = "Unix Shell Configuration Modification"
65reference = "https://attack.mitre.org/techniques/T1546/004/"
66
67[rule.threat.tactic]
68id = "TA0003"
69name = "Persistence"
70reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Modification of Standard Authentication Module or Configuration
- Deprecated - Potential Process Injection via LD_PRELOAD Environment Variable
- Potential Non-Standard Port SSH connection
- EggShell Backdoor Execution
- Potential JAVA/JNDI Exploitation Attempt