Modifications of .bash_profile and .bashrc¶
Detect modification of .bash_profile and .bashrc files for persistent commands
id: | 3567621a-1564-11e9-8e67-d46d6d62a49e |
---|---|
categories: | hunt |
confidence: | low |
os: | linux, macos |
created: | 01/10/2019 |
updated: | 01/10/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Persistence |
---|---|
techniques: | T1156 .bash_profile and .bashrc |
Query¶
file where subtype.modify and
(file_name == ".bash_profile" or file_name == ".bashrc")