Adversaries may create shell scripts in user profile folders to execute malicious payloads under the guise of legitimate processes. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and early-stage compromise attempts.
Detection Rule
title: Potentially Suspicious Shell Script Creation in Profile Folder
id: 13f08f54-e705-4498-91fd-cce9d9cee9f1
status: test
description: Detects the creation of shell scripts under the "profile.d" path.
references:
- https://blogs.jpcert.or.jp/en/2023/05/gobrat.html
- https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/
- https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection
- https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2023-06-02
tags:
- attack.persistence
logsource:
product: linux
category: file_event
detection:
selection:
TargetFilename|contains: '/etc/profile.d/'
TargetFilename|endswith:
- '.csh'
- '.sh'
condition: selection
falsepositives:
- Legitimate shell scripts in the "profile.d" directory could be common in your environment. Apply additional filter accordingly via "image", by adding specific filenames you "trust" or by correlating it with other events.
- Regular file creation during system update or software installation by the package manager
level: low # Can be increased to a higher level after some tuning
imFileEvent
| where TargetFileName contains "/etc/profile.d/" and (TargetFileName endswith ".csh" or TargetFileName endswith ".sh")Scenario: System Administrator Creates a Legitimate Configuration Script
Description: An admin creates a shell script in the user profile folder to configure a service or application.
Filter/Exclusion: process.name == "bash" and file.path contains "/etc/" or file.name contains "config"
Scenario: Scheduled Job Executes a Script in User Profile
Description: A scheduled job (e.g., using cron or systemd) runs a script in a user’s profile folder as part of a routine maintenance task.
Filter/Exclusion: process.name contains "cron" or process.name contains "systemd"
Scenario: User Installs a Desktop Application with Custom Script
Description: A user installs a desktop application (e.g., Dropbox, TeamViewer) that places a shell script in their profile folder for background operations.
Filter/Exclusion: file.name contains "dropbox.sh" or file.name contains "teamviewer.sh"
Scenario: Developer Uses a Shell Script for Automation in Profile
Description: A developer creates a shell script in their profile folder to automate a local development task (e.g., npm, docker, ansible).
Filter/Exclusion: process.name contains "npm" or process.name contains "docker"
Scenario: System Update or Patching Process Creates Temporary Script
Description: A system update or patching tool (e.g., yum, apt, zypper) creates a temporary shell script in a user profile folder during installation.
Filter/Exclusion: process.name contains "yum" or process.name contains "apt" or file.name contains "tmp"