SigmaHQ/rules/linux/auditd/lnx_auditd_alter_bash_profile.yml

title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems
status: experimental
description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.
references:
    - 'MITRE Attack technique T1156; .bash_profile and .bashrc. '
date: 2019/05/12
tags:
    - attack.s0003
    - attack.t1156
    - attack.persistence
author: Peter Matkovski
logsource:
    product: linux
    service: auditd
detection:
    selection:
        type: 'PATH'
        name:
            - '/home/*/.bashrc'
            - '/home/*/.bash_profile' 
            - '/home/*/.profile'
            - '/etc/profile'
            - '/etc/shells'
            - '/etc/bashrc'
            - '/etc/csh.cshrc'
            - '/etc/csh.login'
    condition: selection
falsepositives:
    - Admin or User activity
level: medium
added rule .bash_profile and .bashrc T1156 2019-05-12 00:07:13 +00:00			`title: Detects Suspicious edit of .bash_profile and .bashrc on Linux systems`
			`status: experimental`
			`description: Detects change of user environment. Adversaries can insert code into these files to gain persistence each time a user logs in or opens a new shell.`
			`references:`
			`- 'MITRE Attack technique T1156; .bash_profile and .bashrc. '`
			`date: 2019/05/12`
			`tags:`
fixed attack category number 2->3 2019-05-12 09:59:13 +00:00			`- attack.s0003`
added rule .bash_profile and .bashrc T1156 2019-05-12 00:07:13 +00:00			`- attack.t1156`
			`- attack.persistence`
			`author: Peter Matkovski`
			`logsource:`
			`product: linux`
			`service: auditd`
			`detection:`
			`selection:`
			`type: 'PATH'`
			`name:`
			`- '/home/*/.bashrc'`
			`- '/home/*/.bash_profile'`
			`- '/home/*/.profile'`
			`- '/etc/profile'`
			`- '/etc/shells'`
			`- '/etc/bashrc'`
			`- '/etc/csh.cshrc'`
			`- '/etc/csh.login'`
			`condition: selection`
			`falsepositives:`
			`- Admin or User activity`
			`level: medium`