Esc

Unix Shell Configuration Modification - T1546.004

(ATT&CK® Technique)

Definition

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1546004["Unix Shell Configuration Modification"] --> |modifies| UserInitConfigurationFile["User Init Configuration File"]; class T1546004 OffensiveTechniqueNode;
        class UserInitConfigurationFile ArtifactNode; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile";
        click T1546004 href "/offensive-technique/attack/T1546.004/"; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile";             FileEncryption["File Encryption"] -->
          | encrypts | UserInitConfigurationFile["User Init Configuration File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1546004["Unix Shell Configuration Modification"] ;
          class FileEncryption DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | UserInitConfigurationFile["User Init Configuration File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-harden | T1546004["Unix Shell Configuration Modification"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
          | restores | UserInitConfigurationFile["User Init Configuration File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1546004["Unix Shell Configuration Modification"] ;
          class RestoreFile DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                                        DecoyFile["Decoy File"] -->
          | spoofs | UserInitConfigurationFile["User Init Configuration File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1546004["Unix Shell Configuration Modification"] ;
          class DecoyFile DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | UserInitConfigurationFile["User Init Configuration File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1546004["Unix Shell Configuration Modification"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";                           UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -->
          | analyzes | UserInitConfigurationFile["User Init Configuration File"];

          UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -.->
            | may-detect | T1546004["Unix Shell Configuration Modification"] ;
          class UserSessionInitConfigAnalysis DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click UserSessionInitConfigAnalysis href "/technique/d3f:UserSessionInitConfigAnalysis"; FileAnalysis["File Analysis"] -->
          | analyzes | UserInitConfigurationFile["User Init Configuration File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1546004["Unix Shell Configuration Modification"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";                           FileEviction["File Eviction"] -->
          | deletes | UserInitConfigurationFile["User Init Configuration File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1546004["Unix Shell Configuration Modification"] ;
          class FileEviction DefensiveTechniqueNode;
          class UserInitConfigurationFile ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";

json