Modifications of .bash_profile and .bashrc¶
Detect modification of .bash_profile and .bashrc files for persistent commands
| id: | 3567621a-1564-11e9-8e67-d46d6d62a49e |
|---|---|
| categories: | hunt |
| confidence: | low |
| os: | linux, macos |
| created: | 01/10/2019 |
| updated: | 01/10/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Persistence |
|---|---|
| techniques: | T1156 .bash_profile and .bashrc |
Query¶
file where subtype.modify and
(file_name == ".bash_profile" or file_name == ".bashrc")