Unix Shell Configuration Modification

Information

• Name: Unix Shell Configuration Modification

• ID: T1546.004

• Tactics: TA0004, TA0003

• Technique: T1546

Introduction

Unix Shell Configuration Modification (T1546.004) is a sub-technique within the MITRE ATT&CK framework under the "Event Triggered Execution" tactic. Attackers leverage this method to achieve persistence and privilege escalation by inserting malicious code or commands into shell profiles or configuration files. These modified files execute attacker-controlled commands each time a user or administrator logs into a Unix or Linux system, ensuring continuous and stealthy access.

Deep Dive Into Technique

Attackers typically manipulate Unix shell configuration files such as .bash_profile, .bashrc, .zshrc, .profile, and /etc/profile to execute malicious payloads. These files are executed automatically upon user login or shell invocation, making them ideal targets for persistent access.

Technical execution methods include:

• Appending malicious commands to existing configuration files:

  • Attackers insert commands at the end of legitimate files to minimize suspicion.

  • Commands may download and execute remote payloads, establish reverse shells, or create backdoors.

• Creating hidden scripts or aliases:

  • Malicious actors may define aliases or functions that appear benign but execute harmful commands.

  • Scripts often reside in hidden directories or have filenames resembling legitimate system utilities.

• Replacing legitimate configuration files:

  • Attackers might overwrite existing configuration files entirely, though less common due to higher detectability.

Commonly targeted files:

• User-specific files:

  • ~/.bashrc

  • ~/.bash_profile

  • ~/.zshrc

  • ~/.profile

• Global files:

  • /etc/profile

  • /etc/bash.bashrc

  • /etc/zsh/zshrc

Real-world procedures often involve:

• Leveraging compromised credentials or exploiting vulnerabilities to gain initial access.

• Modifying shell configuration files to maintain persistence across user logins.

• Implementing stealthy persistence methods, such as obfuscating commands or encoding payloads to evade detection.

When this Technique is Usually Used

This sub-technique typically appears in the following attack scenarios and stages:

• Persistence Stage: Attackers commonly use shell configuration modification to ensure continuous access even after initial access vectors are closed.

• Privilege Escalation: Shell configuration files executed by privileged users (such as root) can facilitate privilege escalation if attackers manage to modify these files.

• Lateral Movement: Attackers might use this technique to execute commands or scripts automatically on compromised hosts when legitimate users log in, facilitating lateral movement within a network.

• Post-Exploitation and Command-and-Control (C2): Attackers use modified shell configurations to establish covert C2 channels, execute periodic callbacks, or maintain remote access.

Typical scenarios include:

• Advanced Persistent Threat (APT) campaigns targeting Unix/Linux infrastructure.

• Insider threat scenarios where malicious users establish persistent access.

• Opportunistic attacks exploiting misconfigurations or weak permissions on shell configuration files.

How this Technique is Usually Detected

Detection methods, tools, and indicators of compromise (IoCs) typically include:

• File Integrity Monitoring (FIM):

  • Tools such as Tripwire, OSSEC, or AIDE monitor changes to critical files like .bashrc, .profile, and /etc/profile.

  • Alerts are triggered upon unauthorized modifications.

• Configuration Audits:

  • Regular auditing of shell configuration files to detect unexpected or suspicious commands and aliases.

  • Comparing current configurations against known-good baselines.

• Endpoint Detection and Response (EDR):

  • EDR solutions can detect anomalous execution patterns and modifications to sensitive configuration files.

  • Tools like CrowdStrike Falcon, Carbon Black, and SentinelOne provide visibility into suspicious file modifications and command executions.

• Monitoring User Login Activity:

  • Correlating login events with suspicious processes or network connections initiated immediately afterward.

  • Reviewing logs such as /var/log/auth.log, /var/log/secure, or shell history files for suspicious activity.

Indicators of Compromise (IoCs):

• Unusual entries or encoded commands in shell configuration files.

• Unrecognized scripts or binaries executed upon login.

• Unexpected network connections initiated immediately after user login.

• Modified timestamps or file permissions inconsistent with normal system operations.

Why it is Important to Detect This Technique

Detecting Unix shell configuration modification is critical due to several potential impacts:

• Persistence and Long-Term Compromise:

  • Attackers maintain persistent and stealthy access, making remediation difficult and costly.

  • Early detection prevents prolonged unauthorized access.

• Privilege Escalation Risks:

  • If shell configuration files executed by privileged users (root or administrators) are compromised, attackers may escalate privileges, gaining full control over systems.

• Data Exfiltration and Intellectual Property Theft:

  • Persistent access allows attackers to continuously exfiltrate sensitive data or intellectual property unnoticed.

• Operational Disruption and System Damage:

  • Attackers may use persistent access to disrupt operations, delete data, or sabotage critical infrastructure, causing significant downtime and financial losses.

• Regulatory Compliance and Reputation Risks:

  • Undetected persistent threats can lead to regulatory non-compliance, fines, and reputational damage.

Early detection and remediation of this technique significantly reduce the potential impact and cost associated with prolonged compromises.

Examples

Real-world examples demonstrating the use of Unix shell configuration modification:

• Operation Windigo (2014):

  • Attackers compromised Linux servers by modifying .bashrc and .profile files.

  • Malicious commands established persistent access, downloaded additional malware, and facilitated spam campaigns and credential theft.

  • Impacted tens of thousands of Linux servers globally.

• HiddenWasp Malware (2019):

  • Linux malware that modified shell configuration files to ensure persistence across reboots and user logins.

  • Attackers inserted scripts into .bashrc files to execute malware payloads silently upon login.

  • Malware facilitated remote command execution and control over infected machines.

• Rocke Group Cryptojacking Campaigns (2018-2019):

  • Attackers used modified .bashrc files to persistently run cryptomining malware on compromised Linux servers.

  • Inserted commands downloaded and executed cryptominers upon each login, evading detection and maintaining persistence.

• Skidmap Malware (2019):

  • Linux malware that established persistence by modifying shell configuration files.

  • Inserted malicious commands into .bashrc and other configuration files to execute cryptomining payloads and rootkits upon login.

  • Demonstrated advanced evasion techniques and persistence mechanisms.

These examples illustrate the widespread use and effectiveness of Unix shell configuration modification as a persistence and execution technique by threat actors, emphasizing the importance of proactive detection and monitoring.