Detect Unix Shell Configuration Modification in Google Chronicle
Adversaries may establish persistence through executing malicious commands triggered by a user's shell. User Unix shells execute several configuration scripts whenever a shell session is opened. Malicious content can be inserted into these shell configuration files — such as ~/.bashrc, ~/.bash_profile, ~/.bash_login, ~/.profile, /etc/profile, /etc/bashrc, ~/.zshrc, and ~/.zprofile — to execute adversary payloads when a user opens a terminal or logs in. The payload will execute in the user's context each time the shell is started.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.004 Unix Shell Configuration Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1546/004/
YARA-L Detection Query
rule unix_shell_config_modification {
meta:
author = "Argus Detection Engineering"
description = "Detects creation or modification of Unix shell configuration files for T1546.004 persistence"
severity = "HIGH"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1546.004"
reference = "https://attack.mitre.org/techniques/T1546/004/"
events:
($e.metadata.event_type = "FILE_MODIFICATION" or $e.metadata.event_type = "FILE_CREATION")
(
re.regex($e.target.file.full_path, `(\.(bashrc|bash_profile|bash_login|profile|zshrc|zprofile|zshenv|zlogin|tcshrc|cshrc))$`) or
re.regex($e.target.file.full_path, `^/etc/(profile\.d|bash_completion\.d)/`) or
re.regex($e.target.file.full_path, `^/etc/(profile|bashrc|bash\.bashrc)$`) or
re.regex($e.target.file.full_path, `\.config/fish/config\.fish$`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting creation or modification of Unix shell startup configuration files. Covers system-wide /etc/profile, /etc/bashrc, /etc/profile.d/, and per-user dotfiles for bash, zsh, tcsh, csh, and fish across all home directories using UDM FILE_MODIFICATION and FILE_CREATION event types.
Data Sources
Required Tables
False Positives & Tuning
- Linux distribution package upgrades installing or replacing /etc/profile.d/ environment scripts when upgrading system tools, compilers, or runtime environments (e.g., GCC, OpenJDK, CUDA)
- Container image layer build processes writing shell configuration files during Dockerfile RUN instructions in CI build environments, generating FILE_CREATION events at build time
- User-initiated dotfile synchronization workflows using version-controlled dotfile repositories (chezmoi, yadm, homesick) that apply updates to .bashrc, .zshrc, or .profile via script
Other platforms for T1546.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Reverse Shell to .bashrc
Expected signal: File modification event for ~/.bashrc. Process creation for bash with echo command. Auditd SYSCALL records with type=PATH for the .bashrc file write. The reverse shell command in the file content is the key indicator.
- Test 2Add Download Cradle to /etc/profile.d/
Expected signal: File creation event for /etc/profile.d/argus-test.sh. Process creation for tee writing to /etc/profile.d/. Auditd records for the file creation in a privileged directory. The curl | bash pattern in the script content.
- Test 3Modify .bash_profile to Add Malicious PATH
Expected signal: File modification event for ~/.bash_profile. File creation events for ~/.local/bin/ls. The PATH modification in bash_profile is the persistence mechanism — every new shell session adds the attacker directory to PATH first.
Unlock Pro Content
Get the full detection package for T1546.004 including response playbook, investigation guide, and atomic red team tests.