Unix Shell Configuration Modification

let ShellConfigPaths = dynamic([
    ".bashrc", ".bash_profile", ".bash_login", ".profile",
    ".zshrc", ".zprofile", ".zshenv", ".zlogin",
    ".tcshrc", ".cshrc",
    "profile", "bashrc", "bash.bashrc",
    ".config/fish/config.fish"
  ]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (ShellConfigPaths)
  or FolderPath has_any ("/etc/profile.d/", "/etc/bash_completion.d/")
| where ActionType in ("FileCreated", "FileModified")
| extend IsEtcFile = FolderPath startswith "/etc/"
| extend IsUserProfile = FolderPath has_any ("/home/", "/root/", "Users")
| project Timestamp, DeviceName, AccountName, ActionType, FileName, FolderPath,
         IsEtcFile, IsUserProfile,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc

index=syslog (sourcetype=syslog OR sourcetype=linux_secure OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval ShellConfig=if(
    match(source, "(\.bashrc|\.bash_profile|\.bash_login|\.profile|\.zshrc|\.zprofile|\.zshenv|/etc/profile|/etc/bashrc|profile\.d)"),
    1, 0
  )
| eval Auditd=if(sourcetype="linux_secure" AND match(_raw, "type=PATH"), 1, 0)
| where ShellConfig=1 OR (Auditd=1 AND match(_raw, "(\.bashrc|\.bash_profile|\.profile|\.zshrc)"))
| eval FilePath=coalesce(
    rex field=_raw "name=\"([^\"]+)\"",
    rex field=source "(/.*)"
  )
| eval IsSystemFile=if(match(FilePath, "^/etc/"), 1, 0)
| eval IsRootHome=if(match(FilePath, "^/root/"), 1, 0)
| table _time, host, user, FilePath, IsSystemFile, IsRootHome, sourcetype, _raw
| sort - _time

file where event.type in ("creation", "change") and
  (
    file.name in (".bashrc", ".bash_profile", ".bash_login", ".profile", ".zshrc", ".zprofile", ".zshenv", ".zlogin", ".tcshrc", ".cshrc", "bashrc", "bash.bashrc") or
    file.path : ("/etc/profile", "/etc/bashrc", "/etc/bash.bashrc") or
    file.path : ("/etc/profile.d/*", "/etc/bash_completion.d/*") or
    file.path : ("/root/.bashrc", "/root/.bash_profile", "/root/.bash_login", "/root/.profile", "/root/.zshrc", "/root/.zprofile", "/root/.zshenv") or
    file.path : ("/home/*/.bashrc", "/home/*/.bash_profile", "/home/*/.bash_login", "/home/*/.profile", "/home/*/.zshrc", "/home/*/.zprofile", "/home/*/.zshenv", "/home/*/.config/fish/config.fish")
  )

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Source IP",
  username AS "Username",
  LOGSOURCETYPENAME(devicetype) AS "Log Source Type",
  logsourcename(logsourceid) AS "Log Source",
  CASE
    WHEN UTF8(payload) ILIKE '/etc/%' THEN 'System'
    WHEN UTF8(payload) ILIKE '/root/%' THEN 'Root Home'
    ELSE 'User Home'
  END AS "File Scope",
  UTF8(payload) AS "Raw Event"
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%linux%'
  AND (
    UTF8(payload) ILIKE '%/.bashrc%'
    OR UTF8(payload) ILIKE '%/.bash_profile%'
    OR UTF8(payload) ILIKE '%/.bash_login%'
    OR UTF8(payload) ILIKE '%/.profile%'
    OR UTF8(payload) ILIKE '%/.zshrc%'
    OR UTF8(payload) ILIKE '%/.zprofile%'
    OR UTF8(payload) ILIKE '%/.zshenv%'
    OR UTF8(payload) ILIKE '%/.zlogin%'
    OR UTF8(payload) ILIKE '%/.tcshrc%'
    OR UTF8(payload) ILIKE '%/.cshrc%'
    OR UTF8(payload) ILIKE '%/etc/profile.d/%'
    OR UTF8(payload) ILIKE '%/etc/bash_completion.d/%'
    OR UTF8(payload) ILIKE '%/etc/profile%'
    OR UTF8(payload) ILIKE '%/etc/bashrc%'
    OR UTF8(payload) ILIKE '%.config/fish/config.fish%'
  )
  AND devicetime > DATEADD(HOURS, -24, NOW())
ORDER BY devicetime DESC

(_sourceCategory=*linux* OR _sourceCategory=*syslog* OR _sourceCategory=*auditd* OR _sourceCategory=*endpoint*)
| parse regex field=_raw "(?:name|path|file)=\"?(?<FilePath>[^\"|\s]+)\"?" nodrop
| parse regex field=_raw "type=PATH.*?name=\"(?<AuditPath>[^\"]+)\"" nodrop
| if (isNull(FilePath), AuditPath, FilePath) as FilePath
| where FilePath matches "*/.bashrc"
  OR FilePath matches "*/.bash_profile"
  OR FilePath matches "*/.bash_login"
  OR FilePath matches "*/.profile"
  OR FilePath matches "*/.zshrc"
  OR FilePath matches "*/.zprofile"
  OR FilePath matches "*/.zshenv"
  OR FilePath matches "*/.zlogin"
  OR FilePath matches "*/.tcshrc"
  OR FilePath matches "*/.cshrc"
  OR FilePath matches "/etc/profile.d/*"
  OR FilePath matches "/etc/bash_completion.d/*"
  OR FilePath = "/etc/profile"
  OR FilePath = "/etc/bashrc"
  OR FilePath = "/etc/bash.bashrc"
  OR FilePath matches "*/.config/fish/config.fish"
| if (FilePath matches "/etc/*", "true", "false") as IsSystemFile
| if (FilePath matches "/root/*", "true", "false") as IsRootHome
| count by _sourceHost, FilePath, IsSystemFile, IsRootHome
| sort by _count desc

rule unix_shell_config_modification {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation or modification of Unix shell configuration files for T1546.004 persistence"
    severity = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1546.004"
    reference = "https://attack.mitre.org/techniques/T1546/004/"

  events:
    ($e.metadata.event_type = "FILE_MODIFICATION" or $e.metadata.event_type = "FILE_CREATION")
    (
      re.regex($e.target.file.full_path, `(\.(bashrc|bash_profile|bash_login|profile|zshrc|zprofile|zshenv|zlogin|tcshrc|cshrc))$`) or
      re.regex($e.target.file.full_path, `^/etc/(profile\.d|bash_completion\.d)/`) or
      re.regex($e.target.file.full_path, `^/etc/(profile|bashrc|bash\.bashrc)$`) or
      re.regex($e.target.file.full_path, `\.config/fish/config\.fish$`)
    )

  condition:
    $e
}

(#event_simpleName = "ProcessRollup2" OR #event_simpleName = "SyntheticProcessRollup2")
| CommandLine = /(>|>>|\btee\b|\bsed\b|\bawk\b|\becho\b|\bprintf\b|\bcat\b|\bcp\b|\bmv\b)/
| CommandLine = /(\.bashrc|\.bash_profile|\.bash_login|\.profile(?![_\w])|\.zshrc|\.zprofile|\.zshenv|\.zlogin|\.tcshrc|\.cshrc|\/etc\/profile|\/etc\/bashrc|profile\.d\/|bash_completion\.d\/|\.config\/fish\/config\.fish)/
| IsSystemConfig := if(CommandLine = /\/etc\//, "true", "false")
| IsRootConfig := if(CommandLine = /\/root\//, "true", "false")
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, IsSystemConfig, IsRootConfig],
    function=[
      count(as=EventCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort(EventCount, order=desc)