Skip to content

T1546.004 Bash Profile And Bashrc

T1546.004

Required Tables

  • process_events
  • file_events

Returned Fields

Field Description
process_events.path
file_events.path

Query

SELECT
    process_events.path,
    file_events.path
FROM file_events
LEFT JOIN process_events
    ON process_events.process_uuid = file_events.process_uuid
LEFT JOIN process_events parent_events 
    ON process_events.parent_process_uuid = parent_events.process_uuid
WHERE (
    file_events.path IN (
        '/root/.bash_profile',
        '/root/.profile',
        '/root/.bashrc',
        '/root/.bash_aliases',
        '/root/.xsession',
        '/root/.cshrc',
        '/root/.kshrc',
        '/root/.zshrc',
        '/root/.zprofile',
        '/etc/rc.local',
        '/etc/profile',
        '/etc/bash.bashrc',
        '/etc/bash_completion'
    ) OR (
        regexp_like(file_events.path, '/home/.+/.bash_profile')
        OR regexp_like(file_events.path, '/home/.+/.profile')
        OR regexp_like(file_events.path, '/home/.+/.bashrc')
        OR regexp_like(file_events.path, '/home/.+/.bash_aliases')
        OR regexp_like(file_events.path, '/home/.+/.xsession')
        OR regexp_like(file_events.path, '/home/.+/.cshrc')
        OR regexp_like(file_events.path, '/home/.+/.kshrc')
        OR regexp_like(file_events.path, '/home/.+/.zshrc')
        OR regexp_like(file_events.path, '/home/.+/.zprofile')
    )
) AND (
    parent_events.path NOT IN (
        '/usr/bin/dpkg',
        '/usr/bin/yum',
        '/usr/bin/apt',
        '/usr/bin/apt-get',
        '/usr/bin/dockerd'
    )
)
GROUP BY  file_events.path, process_events.path