Potentially Suspicious Shell Script Creation in Profile Folder

Detects the creation of shell scripts under the "profile.d" path.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Shell Script Creation in Profile Folder
 2id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
 3status: test
 4description: Detects the creation of shell scripts under the "profile.d" path.
 5references:
 6    - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
 7    - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
 8    - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
 9    - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
10author: Joseliyo Sanchez, @Joseliyo_Jstnk
11date: 2023-06-02
12tags:
13    - attack.persistence
14logsource:
15    product: linux
16    category: file_event
17detection:
18    selection:
19        TargetFilename|contains: '/etc/profile.d/'
20        TargetFilename|endswith:
21            - '.csh'
22            - '.sh'
23    condition: selection
24falsepositives:
25    - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
26    - Regular file creation during system update or software installation by the package manager
27level: low # Can be increased to a higher level after some tuning

References

Related rules

to-top