Unix Shell Configuration Modification

 1title: Unix Shell Configuration Modification
 2id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d
 3related:
 4    - id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
 5      type: obsolete
 6status: test
 7description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
 8references:
 9    - https://objective-see.org/blog/blog_0x68.html
10    - https://web.archive.org/web/20221204161143/https://www.glitch-cat.com/p/green-lambert-and-attack
11    - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
12author: Peter Matkovski, IAI
13date: 2023-03-06
14modified: 2023-03-15
15tags:
16    - attack.persistence
17    - attack.t1546.004
18logsource:
19    product: linux
20    service: auditd
21detection:
22    selection:
23        type: 'PATH'
24        name:
25            - '/etc/shells'
26            - '/etc/profile'
27            - '/etc/profile.d/*'
28            - '/etc/bash.bashrc'
29            - '/etc/bashrc'
30            - '/etc/zsh/zprofile'
31            - '/etc/zsh/zshrc'
32            - '/etc/zsh/zlogin'
33            - '/etc/zsh/zlogout'
34            - '/etc/csh.cshrc'
35            - '/etc/csh.login'
36            - '/root/.bashrc'
37            - '/root/.bash_profile'
38            - '/root/.profile'
39            - '/root/.zshrc'
40            - '/root/.zprofile'
41            - '/home/*/.bashrc'
42            - '/home/*/.zshrc'
43            - '/home/*/.bash_profile'
44            - '/home/*/.zprofile'
45            - '/home/*/.profile'
46            - '/home/*/.bash_login'
47            - '/home/*/.bash_logout'
48            - '/home/*/.zlogin'
49            - '/home/*/.zlogout'
50    condition: selection
51falsepositives:
52    - Admin or User activity are expected to generate some false positives
53level: medium

References

• Made In America: Green Lambert for OS X

  

  Made In America: Green Lambert for OS X by: Runa Sandvik / October 1, 2021 This guest blog post, was written by Runa Sandvik, a noted security researcher who works on digital security for journalis...

  
  Read More

• Green Lambert and ATT&CK

  

  On October 1, I gave a talk at Objective By The Sea about a CIA implant called Green Lambert. The recording is available on YouTube and the written post on Objective-See's blog. Inspired by a talk Adam Pennington and Cat Self gave about ATT&CK for macOS

  
  Read More

• Pulling Linux Rabbit/Rabbot Malware Out of a Hat

  

  Cyber threat researchers from Anomali Labs have discovered a new malware, called “Linux Rabbit and Rabbot,” that targeted Linux servers and IoT devices.

  
  Read More

Related rules

• A Member Was Added to a Security-Enabled Global Group
• A Member Was Removed From a Security-Enabled Global Group
• A New Trust Was Created To A Domain
• A Security-Enabled Global Group Was Deleted
• AWS ECS Task Definition That Queries The Credential Endpoint