LoFP / regular file creation during system update or software installation by the package manager

Techniques

Sample rules

Potentially Suspicious Shell Script Creation in Profile Folder

• source: sigma
• technicques:

Description

Detects the creation of shell scripts under the “profile.d” path.

Detection logic

condition: selection
selection:
  TargetFilename|contains: /etc/profile.d/
  TargetFilename|endswith:
  - .csh
  - .sh