Correlate file modifications in shell startup scripts (e.g., .bashrc, .profile) with embedded trap commands and observe if those changes are followed by the unexpected execution of child processes when terminal signals (e.g., SIGINT) are triggered. Use contextual linking with user session activity to detect privilege misuse.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Modification (DC0061) | auditd:SYSCALL | Modification of user shell profile or trap registration via echo/redirection (e.g., echo "trap 'malicious_cmd' INT" >> ~/.bashrc) |
| File Access (DC0055) | auditd:SYSCALL | open |
| Field | Description |
|---|---|
| TargetShellFilePath | The path to user profile scripts (e.g., ~/.bashrc, ~/.zshrc); may differ by distro or shell type. |
| SignalTrapName | Trap signal (e.g., INT, HUP, TERM) can be environment-specific or attacker-tuned to evade. |
| TimeWindow | Temporal threshold to correlate trap insertion and process execution (e.g., 10s-5min) |
Detect unauthorized trap command registrations in shell startup files (e.g., .zprofile, .bash_profile, .zshrc) followed by execution chains during user terminal interaction. Use Unified Logs and EDR telemetry to correlate shell command parsing and process tree anomalies.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Command line containing `trap` or `echo 'trap` written to login shell files |
| File Modification (DC0061) | macos:unifiedlog | File write or append to .zshrc, .bash_profile, .zprofile, etc. |
| Field | Description |
|---|---|
| LoginShellConfigPaths | Startup files vary by shell (.bash_profile, .zshrc, etc.) |
| TrapCommandLengthThreshold | Short benign traps may differ from longer/multi-command malicious traps |
| ParentProcessAnomalyThreshold | Score or detect if new child process deviates from shell’s typical behavior |