EXPLORE

← Back to Explore

T1546.004

Unix Shell Configuration Modification

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</...

LinuxmacOS

14

Detections

3

Sources

1

Threat Actors

BY SOURCE

10elastic3splunk_escu1sigma

PROCEDURES (11)

Container2 detections

Auto-extracted: 2 detections for container

C22 detections

Auto-extracted: 2 detections for c2

Authentication Monitoring2 detections

Auto-extracted: 2 detections for authentication monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Service1 detections

Auto-extracted: 1 detections for service

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

Child Process1 detections

Auto-extracted: 1 detections for child process

Unusual1 detections

Auto-extracted: 1 detections for unusual

Privilege1 detections

Auto-extracted: 1 detections for privilege

THREAT ACTORS (1)

Contagious Interview

DETECTIONS (14)

Bash Shell Profile Modification

Curl Execution via Shell Profile

Linux Auditd Unix Shell Configuration Modification

Linux File Creation In Profile Directory

Linux Possible Append Command To Profile Config File

Modification of Persistence Relevant Files Detected via Defend for Containers

Network Connection Initiated by Suspicious SSHD Child Process

Pod or Container Creation with Suspicious Command-Line

Potential Persistence via File Modification

Potential Suspicious File Edit

Shell Configuration Creation

Suspicious Echo or Printf Execution Detected via Defend for Containers

Unix Shell Configuration Modification

Unusual SSHD Child Process