Unix Shell Configuration Modification
Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
Sigma rule (View on GitHub)
1title: Unix Shell Configuration Modification
2id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d
3related:
4 - id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
5 type: obsolete
6status: test
7description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
8references:
9 - https://objective-see.org/blog/blog_0x68.html
10 - https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack
11 - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
12author: Peter Matkovski, IAI
13date: 2023-03-06
14modified: 2023-03-15
15tags:
16 - attack.privilege-escalation
17 - attack.persistence
18 - attack.t1546.004
19logsource:
20 product: linux
21 service: auditd
22detection:
23 selection:
24 type: 'PATH'
25 name:
26 - '/etc/shells'
27 - '/etc/profile'
28 - '/etc/profile.d/*'
29 - '/etc/bash.bashrc'
30 - '/etc/bashrc'
31 - '/etc/zsh/zprofile'
32 - '/etc/zsh/zshrc'
33 - '/etc/zsh/zlogin'
34 - '/etc/zsh/zlogout'
35 - '/etc/csh.cshrc'
36 - '/etc/csh.login'
37 - '/root/.bashrc'
38 - '/root/.bash_profile'
39 - '/root/.profile'
40 - '/root/.zshrc'
41 - '/root/.zprofile'
42 - '/home/*/.bashrc'
43 - '/home/*/.zshrc'
44 - '/home/*/.bash_profile'
45 - '/home/*/.zprofile'
46 - '/home/*/.profile'
47 - '/home/*/.bash_login'
48 - '/home/*/.bash_logout'
49 - '/home/*/.zlogin'
50 - '/home/*/.zlogout'
51 condition: selection
52falsepositives:
53 - Admin or User activity are expected to generate some false positives
54level: medium
References
-
Made In America: Green Lambert for OS X by: Runa Sandvik / October 1, 2021 This guest blog post, was written by Runa Sandvik, a noted security researcher who works on digital security for journalis...
Read More -
On October 1, I gave a talk at Objective By The Sea about a CIA implant called Green Lambert. The recording is available on YouTube and the written post on Objective-See's blog. Inspired by a talk Adam Pennington and Cat Self gave about ATT&CK for macOS
Read More -
Cyber threat researchers from Anomali Labs have discovered a new malware, called “Linux Rabbit and Rabbot,” that targeted Linux servers and IoT devices.
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- APT27 - Emissary Panda Activity