Detects modification of shell startup/logout scripts such as ~/.bashrc, ~/.bash_profile, or /etc/profile, followed by anomalous process execution or network connections upon interactive or remote shell login.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | AUDIT_SYSCALL (open, write, rename, unlink) |
| Process Creation (DC0032) | auditd:EXECVE | execution of unexpected binaries during user shell startup |
| Network Traffic Content (DC0085) | NSM:Flow | unexpected network activity initiated shortly after shell session starts |
| Field | Description |
|---|---|
| TimeWindow | Defines how soon after shell startup process execution or network activity is considered suspicious. |
| TargetUser | Limits detection to specific user accounts or roles such as root or service accounts. |
| FilePathRegex | Defines what shell configuration paths are considered relevant (e.g., .bashrc, .bash_logout, etc.) |
Correlates zsh shell configuration file changes (e.g., ~/.zshrc, ~/.zlogin, /etc/zprofile) with execution of unauthorized binaries or unexpected network activity triggered on Terminal.app launch.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | launch of Terminal.app or shell with non-standard environment setup |
| File Modification (DC0061) | macos:endpointsecurity | ES_EVENT_TYPE_NOTIFY_WRITE, targeting .zshrc, .zlogin, .zprofile |
| Field | Description |
|---|---|
| FileTargetList | Customizable list of shell config files considered sensitive for detection. |
| PayloadEntropyThreshold | Used to distinguish benign from potentially obfuscated commands written to config files. |
| UserContext | Scoping based on user login class, e.g., administrative vs standard users. |