Techniques
Sample rules
Shell Configuration Modification
- source: elastic
- technicques:
- T1546
Description
This rule monitors the creation/alteration of a shell configuration by a previously unknown process executable using the new terms rule type. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user’s environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.
Detection logic
event.category:file and host.os.type:linux and
event.action:(creation or file_create_event or rename or file_rename_event) and file.path:(
"/etc/profile" or "/etc/profile.local" or "/etc/bashrc" or "/etc/bash.bashrc" or "/etc/bash.bashrc.local" or
"/etc/zshenv" or "/etc/zprofile" or "/etc/zlogin" or "/etc/zlogout" or "/root/.profile" or "/root/.bash_logout" or
"/root/.bashrc" or "/root/.bash_login" or /etc/profile.d/* or /home/*/.profile or /home/*/.bash_logout or
/home/*/.bashrc or /home/*/.bash_login
) and not (
(process.executable: (
"/bin/dpkg" or "/usr/bin/dpkg" or "/bin/useradd" or "/usr/sbin/useradd" or "/bin/adduser" or "/usr/sbin/adduser" or
"/bin/dockerd" or "/usr/bin/dockerd" or "/bin/microdnf" or "/usr/bin/microdnf" or "/bin/rpm" or "/usr/bin/rpm" or
"/bin/snapd" or "/usr/bin/snapd" or "/bin/yum" or "/usr/bin/yum" or "/bin/dnf" or "/usr/bin/dnf" or "/bin/podman" or
"/usr/bin/podman" or "/bin/dnf-automatic" or "/usr/bin/dnf-automatic" or "/bin/pacman" or "/usr/bin/pacman"
)
) or
(file.extension:("swp" or "swpx")) or
(process.executable:("/bin/sed" or "/usr/bin/sed") and file.name:sed*) or
(process.executable:("/bin/perl" or "/usr/bin/perl") and file.name:e2scrub_all.tmp*)
)