security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
322162f097a12e8a468a8b42d86a00a8a71fec66
sigma-rules/rules/cross-platform/persistence_shell_profile_modification.toml
T
shashank-elastic 63e91c2f12 Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30

72 lines
2.4 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2021/01/19"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"
[rule]
author = ["Elastic"]
description = """
Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files
are executed in a user's context, either interactively or non-interactively, when a user logs in so that their
environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content
triggered by a users shell.
"""
false_positives = ["Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required."]
from = "now-9m"
index = ["logs-endpoint.events.*", "auditbeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Bash Shell Profile Modification"
references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat"]
risk_score = 47
rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: macOS",
"OS: Linux",
"Use Case: Threat Detection",
"Tactic: Persistence",
"Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:file and event.type:change and
process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or
launchctl or java or dnf or tailwatchd or ldconfig or yum or semodule or cpanellogd or dockerd or authselect or chmod or
dnf-automatic or git or dpkg or platform-python)) and
not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/* or /opt/saltstack/salt/bin/*) and
file.path:(/private/etc/rc.local or
/etc/rc.local or
/home/*/.profile or
/home/*/.profile1 or
/home/*/.bash_profile or
/home/*/.bash_profile1 or
/home/*/.bashrc or
/Users/*/.bash_profile or
/Users/*/.zshenv)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.004"
name = "Unix Shell Configuration Modification"
reference = "https://attack.mitre.org/techniques/T1546/004/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink