etc/attack.json

{"type": "bundle", "id": "bundle--83dad14b-ae53-4473-9f95-5ae37c8eaa5d", "spec_version": "2.0", "objects": [{"x_mitre_data_sources": ["File monitoring", "Process monitoring", "Process command-line parameters", "Process use of network"], "x_mitre_permissions_required": ["User", "Administrator"], "name": ".bash_profile and .bashrc", "description": "<code>~/.bash_profile</code> and <code>~/.bashrc</code> are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly. <code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the <code>~/.bash_profile</code> script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the <code>~/.bashrc</code> script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment. \n\nThe macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>.\n\nAdversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.(Citation: amnesia malware).", "id": "attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8", "x_mitre_platforms": ["Linux", "macOS"], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_version": "1.1", "type": "attack-pattern", "x_mitre_detection": "While users may customize their <code>~/.bashrc</code> and <code>~/.bash_profile</code> files , there are only certain types of commands that typically appear in these files. Monitor for abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network when user profiles are loaded during the login process.", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-12-14T16:46:06.044Z", "kill_chain_phases": [{"kill_chain_name": "mitre-attack", "phase_name": "persistence"}], "external_references": [{"external_id": "T1156", "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1156"}, {"source_name": "amnesia malware", "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/"}], "modified": "2019-06-13T14:49:56.024Z"}, {"x_mitre_permissions_required": ["User", "Administrator"], "x_mitre_data_sources": ["API monitoring", "Access tokens", "Process monitoring", "Process command-line parameters"], "name": "Access Token Manipulation", "description": "Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token. For example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as a standard user but run their tools with administrator privileges using the built-in access token manipulation command <code>runas</code>.(Citation: Microsoft runas)\n  \nAdversaries may use access tokens to operate under a different user or system security context to perform actions and evade detection. An adversary can use built-in Windows API functions to cop