security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1156/T1156.md
T
CircleCI Atomic Red Team doc generator 91e86258e6 Generate docs from job=validate_atomics_generate_docs branch=master
2019-10-24 17:09:43 +00:00

2.5 KiB
Raw Blame History

T1156 - .bash_profile and .bashrc

Description from ATT&CK

~/.bash_profile and ~/.bashrc are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the ~/.bash_profile script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the ~/.bashrc script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment.

The macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling /.bash_profile each time instead of /.bashrc.

Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.(Citation: amnesia malware).

Atomic Tests


Atomic Test #1 - Add command to .bash_profile

Adds a command to the .bash_profile file of the current user

Supported Platforms: macOS, Linux

Inputs

Name Description Type Default Value
command_to_add Command to add to the .bash_profile file string /path/to/script.py

Run it with sh!

echo "#{command_to_add}" >> ~/.bash_profile


Atomic Test #2 - Add command to .bashrc

Adds a command to the .bashrc file of the current user

Supported Platforms: macOS, Linux

Inputs

Name Description Type Default Value
command_to_add Command to add to the .bashrc file string /path/to/script.py

Run it with sh!

echo "#{command_to_add}" >> ~/.bashrc

Reference in New Issue View Git Blame Copy Permalink