Detect Unix Shell Configuration Modification in Splunk
Adversaries may establish persistence through executing malicious commands triggered by a user's shell. User Unix shells execute several configuration scripts whenever a shell session is opened. Malicious content can be inserted into these shell configuration files — such as ~/.bashrc, ~/.bash_profile, ~/.bash_login, ~/.profile, /etc/profile, /etc/bashrc, ~/.zshrc, and ~/.zprofile — to execute adversary payloads when a user opens a terminal or logs in. The payload will execute in the user's context each time the shell is started.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.004 Unix Shell Configuration Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1546/004/
SPL Detection Query
index=syslog (sourcetype=syslog OR sourcetype=linux_secure OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval ShellConfig=if(
match(source, "(\.bashrc|\.bash_profile|\.bash_login|\.profile|\.zshrc|\.zprofile|\.zshenv|/etc/profile|/etc/bashrc|profile\.d)"),
1, 0
)
| eval Auditd=if(sourcetype="linux_secure" AND match(_raw, "type=PATH"), 1, 0)
| where ShellConfig=1 OR (Auditd=1 AND match(_raw, "(\.bashrc|\.bash_profile|\.profile|\.zshrc)"))
| eval FilePath=coalesce(
rex field=_raw "name=\"([^\"]+)\"",
rex field=source "(/.*)"
)
| eval IsSystemFile=if(match(FilePath, "^/etc/"), 1, 0)
| eval IsRootHome=if(match(FilePath, "^/root/"), 1, 0)
| table _time, host, user, FilePath, IsSystemFile, IsRootHome, sourcetype, _raw
| sort - _timeDetects shell configuration file modifications using Linux syslog and auditd sources. Monitors for file write events targeting bash/zsh/fish config files. Auditd must be configured with file watch rules (-w /home -p wa -k shell_config) to provide the most granular data. Also monitors /etc/profile.d/ directory for new script additions, which execute for all users on login.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Package managers modifying /etc/profile.d/ during package installation
- Configuration management tools managing shell configs
- Users modifying their own shell configuration files
- Developer toolchains appending initialization code during installation
Other platforms for T1546.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Reverse Shell to .bashrc
Expected signal: File modification event for ~/.bashrc. Process creation for bash with echo command. Auditd SYSCALL records with type=PATH for the .bashrc file write. The reverse shell command in the file content is the key indicator.
- Test 2Add Download Cradle to /etc/profile.d/
Expected signal: File creation event for /etc/profile.d/argus-test.sh. Process creation for tee writing to /etc/profile.d/. Auditd records for the file creation in a privileged directory. The curl | bash pattern in the script content.
- Test 3Modify .bash_profile to Add Malicious PATH
Expected signal: File modification event for ~/.bash_profile. File creation events for ~/.local/bin/ls. The PATH modification in bash_profile is the persistence mechanism — every new shell session adds the attacker directory to PATH first.
Unlock Pro Content
Get the full detection package for T1546.004 including response playbook, investigation guide, and atomic red team tests.