Query Details

Rule: Detection of Suspicious Shell Scripts in Profile Directory

Ectprofilesuspiciousscripts

Query

DeviceFileEvents
| where FileName endswith ".sh" or FileName endswith ".zsh" or FileName endswith ".

About this query

Explanation

This query is designed to detect suspicious shell scripts in the /etc/profile.d/ directory on Linux systems. Here's a simplified summary:

Purpose

  • Goal: Identify potentially malicious shell scripts in the /etc/profile.d/ directory.
  • Reason: This directory is used for scripts that configure the environment for all users. Unauthorized scripts here could indicate an attacker trying to run malicious code during user logins or system startup.

How It Works

  • Monitors File Events: Specifically looks at file creation or modification events.
  • File Types: Focuses on files ending with .sh, .zsh, or .csh.
  • Exclusions: Ignores scripts initiated by the platform-python3.6 process, which is usually safe.
  • Directory: Only considers files in the /etc/profile.d/ directory.

Tags

  • Categories: File Events, Persistence, Shell Script, Profile Directory, Linux Security, Suspicious Activity

Search Query

The query filters file events to find:

  • Files with names ending in .sh, .zsh, or .csh.
  • Files not initiated by platform-python3.6.
  • Files located in /etc/profile.d/.

This helps in identifying unauthorized or unusual shell scripts that could be a sign of malicious activity.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 8, 2024

Tables

DeviceFileEvents

Keywords

DeviceFileEventsFileNameFolderPathInitiatingProcessFileNameLinuxSecuritySuspiciousActivity

Operators

endswithorwherenotcontains

Actions

GitHub