Potentially Suspicious Shell Script Creation in Profile Folder
Detects the creation of shell scripts under the "profile.d" path.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Shell Script Creation in Profile Folder
2id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
3status: test
4description: Detects the creation of shell scripts under the "profile.d" path.
5references:
6 - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
7 - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
8 - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
9 - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
10author: Joseliyo Sanchez, @Joseliyo_Jstnk
11date: 2023-06-02
12tags:
13 - attack.persistence
14logsource:
15 product: linux
16 category: file_event
17detection:
18 selection:
19 TargetFilename|contains: '/etc/profile.d/'
20 TargetFilename|endswith:
21 - '.csh'
22 - '.sh'
23 condition: selection
24falsepositives:
25 - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
26 - Regular file creation during system update or software installation by the package manager
27level: low # Can be increased to a higher level after some tuning
References
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint