Detect Unix Shell Configuration Modification in IBM QRadar
Adversaries may establish persistence through executing malicious commands triggered by a user's shell. User Unix shells execute several configuration scripts whenever a shell session is opened. Malicious content can be inserted into these shell configuration files — such as ~/.bashrc, ~/.bash_profile, ~/.bash_login, ~/.profile, /etc/profile, /etc/bashrc, ~/.zshrc, and ~/.zprofile — to execute adversary payloads when a user opens a terminal or logs in. The payload will execute in the user's context each time the shell is started.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.004 Unix Shell Configuration Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1546/004/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
sourceip AS "Source IP",
username AS "Username",
LOGSOURCETYPENAME(devicetype) AS "Log Source Type",
logsourcename(logsourceid) AS "Log Source",
CASE
WHEN UTF8(payload) ILIKE '/etc/%' THEN 'System'
WHEN UTF8(payload) ILIKE '/root/%' THEN 'Root Home'
ELSE 'User Home'
END AS "File Scope",
UTF8(payload) AS "Raw Event"
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) ILIKE '%linux%'
AND (
UTF8(payload) ILIKE '%/.bashrc%'
OR UTF8(payload) ILIKE '%/.bash_profile%'
OR UTF8(payload) ILIKE '%/.bash_login%'
OR UTF8(payload) ILIKE '%/.profile%'
OR UTF8(payload) ILIKE '%/.zshrc%'
OR UTF8(payload) ILIKE '%/.zprofile%'
OR UTF8(payload) ILIKE '%/.zshenv%'
OR UTF8(payload) ILIKE '%/.zlogin%'
OR UTF8(payload) ILIKE '%/.tcshrc%'
OR UTF8(payload) ILIKE '%/.cshrc%'
OR UTF8(payload) ILIKE '%/etc/profile.d/%'
OR UTF8(payload) ILIKE '%/etc/bash_completion.d/%'
OR UTF8(payload) ILIKE '%/etc/profile%'
OR UTF8(payload) ILIKE '%/etc/bashrc%'
OR UTF8(payload) ILIKE '%.config/fish/config.fish%'
)
AND devicetime > DATEADD(HOURS, -24, NOW())
ORDER BY devicetime DESCDetects references to Unix shell configuration file paths in Linux syslog and auditd events forwarded to QRadar. Uses UTF8(payload) full-text search to match both structured auditd PATH records and free-form syslog entries containing shell config file paths, covering bash, zsh, tcsh, csh, and fish shells.
Data Sources
Required Tables
False Positives & Tuning
- System-level package upgrades (apt/yum/dnf) generating syslog events when writing environment initialization scripts to /etc/profile.d/ for newly installed software packages
- Automated server provisioning pipelines (Ansible, SaltStack, Terraform remote-exec) that apply shell configuration changes across fleets of managed Linux hosts
- Developer workstation onboarding scripts that append PATH exports, aliases, or tool completions to .bashrc or .profile during initial environment setup
Other platforms for T1546.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Reverse Shell to .bashrc
Expected signal: File modification event for ~/.bashrc. Process creation for bash with echo command. Auditd SYSCALL records with type=PATH for the .bashrc file write. The reverse shell command in the file content is the key indicator.
- Test 2Add Download Cradle to /etc/profile.d/
Expected signal: File creation event for /etc/profile.d/argus-test.sh. Process creation for tee writing to /etc/profile.d/. Auditd records for the file creation in a privileged directory. The curl | bash pattern in the script content.
- Test 3Modify .bash_profile to Add Malicious PATH
Expected signal: File modification event for ~/.bash_profile. File creation events for ~/.local/bin/ls. The PATH modification in bash_profile is the persistence mechanism — every new shell session adds the attacker directory to PATH first.
Unlock Pro Content
Get the full detection package for T1546.004 including response playbook, investigation guide, and atomic red team tests.