Potentially Suspicious Shell Script Creation in Profile Folder
Detects the creation of shell scripts under the "profile.d" path.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Shell Script Creation in Profile Folder
2id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
3status: test
4description: Detects the creation of shell scripts under the "profile.d" path.
5references:
6 - https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
7 - https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
8 - https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
9 - https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
10author: Joseliyo Sanchez, @Joseliyo_Jstnk
11date: 2023/06/02
12tags:
13 - attack.persistence
14logsource:
15 product: linux
16 category: file_event
17detection:
18 selection:
19 TargetFilename|contains: '/etc/profile.d/'
20 TargetFilename|endswith:
21 - '.csh'
22 - '.sh'
23 condition: selection
24falsepositives:
25 - Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
26 - Regular file creation during system update or software installation by the package manager
27level: low # Can be increased to a higher level after some tuning
References
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- Bitsadmin to Uncommon TLD
- File Download Via Bitsadmin To A Suspicious Target Folder