Techniques
Sample rules
Unix Shell Configuration Modification
- source: sigma
- technicques:
- t1546
- t1546.004
Description
Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
Detection logic
condition: selection
selection:
name:
- /etc/shells
- /etc/profile
- /etc/profile.d/*
- /etc/bash.bashrc
- /etc/bashrc
- /etc/zsh/zprofile
- /etc/zsh/zshrc
- /etc/zsh/zlogin
- /etc/zsh/zlogout
- /etc/csh.cshrc
- /etc/csh.login
- /root/.bashrc
- /root/.bash_profile
- /root/.profile
- /root/.zshrc
- /root/.zprofile
- /home/*/.bashrc
- /home/*/.zshrc
- /home/*/.bash_profile
- /home/*/.zprofile
- /home/*/.profile
- /home/*/.bash_login
- /home/*/.bash_logout
- /home/*/.zlogin
- /home/*/.zlogout
type: PATH