Add ".bash_profile and .bashrc" attack technique (T1156)
#682
Comments
shreyamalviya
added
Monkey
Feature
|
There's an equivalent of bashrc with powershell profiles. |
|
Oh yeah, updated! You mean how we'll make sure we're not leaving arbitrary commands in the files? I was thinking we'd add only a comment to the file so that even if there's some issue with deleting it from the file afterwards, it won't execute a random command. Did you mean something else? |
|
I'm pro that. Another option is to add a simple output statement to them so they print on startup. |
|
Yeah, although how would we add that to the configuration page? A separate section for just this one PBA? |
shreyamalviya
changed the title
.bash_profile and .bashrc attack technique (T1156).bash_profile and .bashrc" attack technique (T1156)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
T1156
~/.bash_profileand~/.bashrcare shell scripts that are executed in a user's context when a new shell is opened or when a user logs in so that their environment is set correctly. Adversaries may abuse these shell scripts by adding arbitrary commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified~/.bash_profileand/or~/.bashrcscripts will be executed.Adding it as a PBA:
- LINUX: attempt to add some command (will be commented) to
.bash_profileand.bashrcbyecho-ing it into the file, and then removing it usingsed- WINDOWS:
do the same for profile files in Powershell (refer to this)T1504Mapping the technique to the ATT&CK matrix
The text was updated successfully, but these errors were encountered: