Rule: Detection of Suspicious Shell Scripts in Profile Directory
Ectprofilesuspiciousscripts
Query
DeviceFileEvents
| where FileName endswith ".sh" or FileName endswith ".zsh" or FileName endswith ".About this query
Explanation
This query is designed to detect suspicious shell scripts in the /etc/profile.d/ directory on Linux systems. Here's a simplified summary:
Purpose
- Goal: Identify potentially malicious shell scripts in the
/etc/profile.d/directory. - Reason: This directory is used for scripts that configure the environment for all users. Unauthorized scripts here could indicate an attacker trying to run malicious code during user logins or system startup.
How It Works
- Monitors File Events: Specifically looks at file creation or modification events.
- File Types: Focuses on files ending with
.sh,.zsh, or.csh. - Exclusions: Ignores scripts initiated by the
platform-python3.6process, which is usually safe. - Directory: Only considers files in the
/etc/profile.d/directory.
Tags
- Categories: File Events, Persistence, Shell Script, Profile Directory, Linux Security, Suspicious Activity
Search Query
The query filters file events to find:
- Files with names ending in
.sh,.zsh, or.csh. - Files not initiated by
platform-python3.6. - Files located in
/etc/profile.d/.
This helps in identifying unauthorized or unusual shell scripts that could be a sign of malicious activity.
Details

Ali Hussein
Released: July 8, 2024
Tables
DeviceFileEvents
Keywords
DeviceFileEventsFileNameFolderPathInitiatingProcessFileNameLinuxSecuritySuspiciousActivity
Operators
endswithorwherenotcontains