Unix Shell Configuration Modification

 1title: Unix Shell Configuration Modification
 2id: a94cdd87-6c54-4678-a6cc-2814ffe5a13d
 3related:
 4    - id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
 5      type: obsoletes
 6status: test
 7description: Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
 8references:
 9    - https://objective-see.org/blog/blog_0x68.html
10    - https://www.glitch-cat.com/p/green-lambert-and-attack
11    - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
12author: Peter Matkovski, IAI
13date: 2023/03/06
14modified: 2023/03/15
15tags:
16    - attack.persistence
17    - attack.t1546.004
18logsource:
19    product: linux
20    service: auditd
21detection:
22    selection:
23        type: 'PATH'
24        name:
25            - '/etc/shells'
26            - '/etc/profile'
27            - '/etc/profile.d/*'
28            - '/etc/bash.bashrc'
29            - '/etc/bashrc'
30            - '/etc/zsh/zprofile'
31            - '/etc/zsh/zshrc'
32            - '/etc/zsh/zlogin'
33            - '/etc/zsh/zlogout'
34            - '/etc/csh.cshrc'
35            - '/etc/csh.login'
36            - '/root/.bashrc'
37            - '/root/.bash_profile'
38            - '/root/.profile'
39            - '/root/.zshrc'
40            - '/root/.zprofile'
41            - '/home/*/.bashrc'
42            - '/home/*/.zshrc'
43            - '/home/*/.bash_profile'
44            - '/home/*/.zprofile'
45            - '/home/*/.profile'
46            - '/home/*/.bash_login'
47            - '/home/*/.bash_logout'
48            - '/home/*/.zlogin'
49            - '/home/*/.zlogout'
50    condition: selection
51falsepositives:
52    - Admin or User activity are expected to generate some false positives
53level: medium

References

• Made In America: Green Lambert for OS X

  

  Made In America: Green Lambert for OS X by: Runa Sandvik / October 1, 2021 This guest blog post, was written by Runa Sandvik, a noted security researcher who works on digital security for journalis...

  
  Read More

• https://www.glitch-cat.com/p/green-lambert-and-attack

  
  Read More

• Pulling Linux Rabbit/Rabbot Malware Out of a Hat | Anomali

  

  Cyber threat researchers from Anomali Labs have discovered a new malware, called “Linux Rabbit and Rabbot,” that targeted Linux servers and IoT devices.

  
  Read More

Related rules

• App Granted Privileged Delegated Or App Permissions
• Aruba Network Service Potential DLL Sideloading
• BITS Transfer Job Download From Direct IP
• BITS Transfer Job Download To Potential Suspicious Folder
• BITS Transfer Job Downloading File Potential Suspicious Extension