IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Base16 or Base32 Encoding/Decoding Activity Binary Content Copy via Cmd.exe »

› › ›

Bash Shell Profile Modification

edit

Bash Shell Profile Modification

edit

Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user’s context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell.

Rule type: query

Rule indices:

logs-endpoint.events.*
auditbeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat

Tags:

Domain: Endpoint
OS: macOS
OS: Linux
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend

Version: 104

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

event.category:file and event.type:change and
  process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or
  launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or
  dnf-automatic or git or dpkg or platform-python)) and
  not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and
  file.path:(/private/etc/rc.local or
             /etc/rc.local or
             /home/*/.profile or
             /home/*/.profile1 or
             /home/*/.bash_profile or
             /home/*/.bash_profile1 or
             /home/*/.bashrc or
             /Users/*/.bash_profile or
             /Users/*/.zshenv)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Event Triggered Execution
- ID: T1546
- Reference URL: https://attack.mitre.org/techniques/T1546/
Sub-technique:
- Name: Unix Shell Configuration Modification
- ID: T1546.004
- Reference URL: https://attack.mitre.org/techniques/T1546/004/

« Base16 or Base32 Encoding/Decoding Activity Binary Content Copy via Cmd.exe »