rules/linux/auditd/lnx_auditd_alter_bash_profile.yml

title: Edit of .bash_profile and .bashrc
id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9
status: test
description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
author: Peter Matkovski
references:
  - 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
date: 2019/05/12
modified: 2022/02/22
logsource:
  product: linux
  service: auditd
detection:
  selection:
    type: 'PATH'
    name:
      - '/root/.bashrc'
      - '/root/.bash_profile'
      - '/root/.profile'
      - '/home/*/.bashrc'
      - '/home/*/.bash_profile'
      - '/home/*/.profile'
      - '/etc/profile'
      - '/etc/shells'
      - '/etc/bashrc'
      - '/etc/csh.cshrc'
      - '/etc/csh.login'
  condition: selection
falsepositives:
  - Admin or User activity
level: medium
tags:
  - attack.s0003
  - attack.persistence
  - attack.t1546.004
fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00			`title: Edit of .bash_profile and .bashrc`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: e74e15cc-c4b6-4c80-b7eb-dfe49feb7fe9`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00			`description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`author: Peter Matkovski`
added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00			`references:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- 'MITRE Attack technique T1156; .bash_profile and .bashrc. '`
			`date: 2019/05/12`
Updated modified date 2022-02-22 12:48:41 -03:00			`modified: 2022/02/22`
added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00			`logsource:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`product: linux`
			`service: auditd`
added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00			`detection:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`selection:`
			`type: 'PATH'`
			`name:`
Added root user files 2022-02-21 10:15:48 -03:00			`- '/root/.bashrc'`
			`- '/root/.bash_profile'`
			`- '/root/.profile'`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- '/home/*/.bashrc'`
			`- '/home/*/.bash_profile'`
			`- '/home/*/.profile'`
			`- '/etc/profile'`
			`- '/etc/shells'`
			`- '/etc/bashrc'`
			`- '/etc/csh.cshrc'`
			`- '/etc/csh.login'`
			`condition: selection`
added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00			`falsepositives:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- Admin or User activity`
added rule .bash_profile and .bashrc T1156 2019-05-12 02:07:13 +02:00			`level: medium`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`tags:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- attack.s0003`
			`- attack.persistence`
			`- attack.t1546.004`