T1546.004 Bash Profile And Bashrc
T1546.004
Required Tables
- process_events
- file_events
Returned Fields
Field | Description |
process_events.path | |
file_events.path | |
Query
SELECT
process_events.path,
file_events.path
FROM file_events
LEFT JOIN process_events
ON process_events.process_uuid = file_events.process_uuid
LEFT JOIN process_events parent_events
ON process_events.parent_process_uuid = parent_events.process_uuid
WHERE (
file_events.path IN (
'/root/.bash_profile',
'/root/.profile',
'/root/.bashrc',
'/root/.bash_aliases',
'/root/.xsession',
'/root/.cshrc',
'/root/.kshrc',
'/root/.zshrc',
'/root/.zprofile',
'/etc/rc.local',
'/etc/profile',
'/etc/bash.bashrc',
'/etc/bash_completion'
) OR (
regexp_like(file_events.path, '/home/.+/.bash_profile')
OR regexp_like(file_events.path, '/home/.+/.profile')
OR regexp_like(file_events.path, '/home/.+/.bashrc')
OR regexp_like(file_events.path, '/home/.+/.bash_aliases')
OR regexp_like(file_events.path, '/home/.+/.xsession')
OR regexp_like(file_events.path, '/home/.+/.cshrc')
OR regexp_like(file_events.path, '/home/.+/.kshrc')
OR regexp_like(file_events.path, '/home/.+/.zshrc')
OR regexp_like(file_events.path, '/home/.+/.zprofile')
)
) AND (
parent_events.path NOT IN (
'/usr/bin/dpkg',
'/usr/bin/yum',
'/usr/bin/apt',
'/usr/bin/apt-get',
'/usr/bin/dockerd'
)
)
GROUP BY file_events.path, process_events.path