Adversaries may establish persistence by executing malicious content triggered by a user’s shell. <code>~/.bash_profile</code> and <code>~/.bashrc</code> are shell scripts that contain shell commands. These files are executed in a user's context when a new shell opens or when a user logs in so that their environment is set correctly.
<code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the <code>~/.bash_profile</code> script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the <code>~/.bashrc</code> script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment.
The macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>.
Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.(Citation: amnesia malware)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-3 | Access Enforcement | Protects | T1546.004 | .bash_profile and .bashrc | |
AC-6 | Least Privilege | Protects | T1546.004 | .bash_profile and .bashrc | |
CA-7 | Continuous Monitoring | Protects | T1546.004 | .bash_profile and .bashrc | |
CM-2 | Baseline Configuration | Protects | T1546.004 | .bash_profile and .bashrc | |
CM-6 | Configuration Settings | Protects | T1546.004 | .bash_profile and .bashrc | |
SI-3 | Malicious Code Protection | Protects | T1546.004 | .bash_profile and .bashrc | |
SI-4 | System Monitoring | Protects | T1546.004 | .bash_profile and .bashrc | |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1546.004 | .bash_profile and .bashrc |
Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
azure_security_center_recommendations | Azure Security Center Recommendations | technique_scores | T1546.004 | .bash_profile and .bashrc |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing the addition or modification of the file system in Kubernetes containers thereby mitigating this sub-technique. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
file_integrity_monitoring | File Integrity Monitoring | technique_scores | T1546.004 | .bash_profile and .bashrc |
Comments
This control may detect changes to the Windows registry or files that indicate event triggered execution. The specificity of registry keys and files used in creation or modification of these scheduled tasks may reduce the false positive rate. This control at worst scans for changes on an hourly basis.
References
|