Detectionmediumtest
Unix Shell Configuration Modification
Detect unix shell configuration modification. Adversaries may establish persistence through executing malicious commands triggered when a new shell is opened.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Linuxauditd
ProductLinux← raw: linux
Serviceauditd← raw: auditd
Detection Logic
Detection Logic1 selector
detection:
selection:
type: 'PATH'
name:
- '/etc/shells'
- '/etc/profile'
- '/etc/profile.d/*'
- '/etc/bash.bashrc'
- '/etc/bashrc'
- '/etc/zsh/zprofile'
- '/etc/zsh/zshrc'
- '/etc/zsh/zlogin'
- '/etc/zsh/zlogout'
- '/etc/csh.cshrc'
- '/etc/csh.login'
- '/root/.bashrc'
- '/root/.bash_profile'
- '/root/.profile'
- '/root/.zshrc'
- '/root/.zprofile'
- '/home/*/.bashrc'
- '/home/*/.zshrc'
- '/home/*/.bash_profile'
- '/home/*/.zprofile'
- '/home/*/.profile'
- '/home/*/.bash_login'
- '/home/*/.bash_logout'
- '/home/*/.zlogin'
- '/home/*/.zlogout'
condition: selectionFalse Positives
Admin or User activity are expected to generate some false positives
MITRE ATT&CK
Related Rules
Similar
Rule not founde74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
Rule Metadata
Rule ID
a94cdd87-6c54-4678-a6cc-2814ffe5a13d
Status
test
Level
medium
Type
Detection
Created
Mon Mar 06
Modified
Wed Mar 15
Author
Path
rules/linux/auditd/path/lnx_auditd_unix_shell_configuration_modification.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1546.004