T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc

Description from ATT&CK

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session. For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.

Atomic Tests


Atomic Test #1 - Add command to .bash_profile

Adds a command to the .bash_profile file of the current user

Supported Platforms: macOS, Linux

auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | command_to_add | Command to add to the .bash_profile file | string | echo “Hello from Atomic Red Team T1546.004” > /tmp/T1546.004|

Attack Commands: Run with
1
sh
!

1
echo '#{command_to_add}' >> ~/.bash_profile

Cleanup Commands:

1
2
head -n '-2' ~/.bash_profile > /tmp/T1546.004
mv /tmp/T1546.004 ~/.bash_profile



Atomic Test #2 - Add command to .bashrc

Adds a command to the .bashrc file of the current user

Supported Platforms: macOS, Linux

auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | command_to_add | Command to add to the .bashrc file | string | echo “Hello from Atomic Red Team T1546.004” > /tmp/T1546.004|

Attack Commands: Run with
1
sh
!

1
echo '#{command_to_add}' >> ~/.bashrc

Cleanup Commands:

1
2
head -n '-2' ~/.bashrc > /tmp/T1546.004
mv /tmp/T1546.004 ~/.bashrc



Atomic Test #3 - Add command to .shrc

Adds a command to the .shrc file of the current user

Supported Platforms: Linux

auto_generated_guid: 41502021-591a-4649-8b6e-83c9192aff53

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | command_to_add | Command to add to the .shrc file | string | echo “Hello from Atomic Red Team T1546.004” > /tmp/T1546.004|

Attack Commands: Run with
1
sh
!

1
echo '#{command_to_add}' >> ~/.shrc

Cleanup Commands:

1
2
head -n '-2' ~/.shrc > /tmp/T1546.004
mv /tmp/T1546.004 ~/.shrc



Atomic Test #4 - Append to the system shell profile

An adversary may wish to establish persistence by executing malicious commands from the systems /etc/profile every time “any” user logs in.

Supported Platforms: Linux

auto_generated_guid: 694b3cc8-6a78-4d35-9e74-0123d009e94b

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | text_to_append | Text to append to the /etc/profile file | string | # Hello from Atomic Red Team T1546.004|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
echo '#{text_to_append}' >> /etc/profile

Cleanup Commands:

1
sed -i "s/# Atomic Red Team was here! T1546.004//" /etc/profile



Atomic Test #5 - Append commands user shell profile

An adversary may wish to establish persistence by executing malicious commands from the users ~/.profile every time the “user” logs in.

Supported Platforms: Linux

auto_generated_guid: bbdb06bc-bab6-4f5b-8232-ba3fbed51d77

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | text_to_append | Text to append to the ~/.profile file | string | # Atomic Red Team was here… T1546.004|

Attack Commands: Run with
1
sh
!

1
echo '#{text_to_append}' >> ~/.profile

Cleanup Commands:

1
sed -i "s/# Atomic Red Team was here... T1546.004//" ~/.profile



Atomic Test #6 - System shell profile scripts

An adversary may wish to establish persistence by adding commands into any of the script files in the /etc/profile.d/ directory, which are executed every time “any” user logs in.

Supported Platforms: Linux

auto_generated_guid: 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | text_to_append | Text to append to the /etc/profile.d/bash_completion.sh file | string | # Atomic Red Team was here… T1546.004|

Attack Commands: Run with
1
sh
! Elevation Required (e.g. root or admin)

1
echo '#{text_to_append}' >> /etc/profile.d/bash_completion.sh

Cleanup Commands:

1
sed -i "s/# Atomic Red Team was here... T1546.004//" /etc/profile.d/bash_completion.sh



Atomic Test #7 - Create/Append to .bash_logout

The Bash shell runs ~/.bash_logout “if it exists” to run commands on user logout. An adversary may create or append to a .bash_logout to clear history, start processes etc. Note the ~/.bash_logout is only run if you explicitly exit or log out of an “interactive login shell session” i.e. via the console, SSH, /bin/bash -l or su -l .

This test creates the art user, logs in, creates a .bash_logout which will echo some text into the art.txt file on logout and logs out and the /home/art/art.txt is created.

Supported Platforms: Linux

auto_generated_guid: 37ad2f24-7c53-4a50-92da-427a4ad13f58

Attack Commands: Run with
1
bash
! Elevation Required (e.g. root or admin)

1
2
useradd --create-home --shell /bin/bash art
su -l art -c "echo 'echo \"Atomic Red Team was here... T1546.004\" >> /home/art/art.txt' >> /home/art/.bash_logout; exit"

Cleanup Commands:

1
userdel -fr art