LoFP / legitimate shell scripts in the \"profile.d\" directory could be common in your environment. apply additional filter accordingly via \"image\", by adding specific filenames you \"trust\" or by correlating it with other events.

Techniques

Sample rules

Potentially Suspicious Shell Script Creation in Profile Folder

• source: sigma
• technicques:

Description

Detects the creation of shell scripts under the “profile.d” path.

Detection logic

condition: selection
selection:
  TargetFilename|contains: /etc/profile.d/
  TargetFilename|endswith:
  - .csh
  - .sh