Linux.Forensics.EnvironmentVariables :: Velociraptor

Linux.Forensics.EnvironmentVariables
This artifact detects potential persistence mechanisms on Linux systems by analyzing environment variable files and login scripts.
MITRE ATT&CK: T1546.004

name: Linux.Forensics.EnvironmentVariables
author: Idan Beit-Yosef @ ibyf0r3ns1cs
description: |
  This artifact detects potential persistence mechanisms on Linux systems by analyzing environment variable files and login scripts.  
  
  **MITRE ATT&CK**: [T1546.004](https://attack.mitre.org/techniques/T1546/004/)

reference:
  - https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
  - https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
  - https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
  - https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
  - https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html

parameters:
  - name: LinuxEnvGlobs
    type: csv
    default: |
      Glob
      /home/*/.bashrc
      /home/*/.bash_profile
      /home/*/.bash_login
      /home/*/.profile
      /home/*/.zshrc
      /etc/profile
      /etc/environment
      /home/*/.bash_logout
    
  - name: LoginScriptGlobs
    type: csv
    default: |
        Glob
        /etc/profile.d/*.sh
    
  - name: LinuxEnvModifiers
    default: ^(export|alias)
    type: regex
    
  - name: LinuxEnvNetworkUtils
    default: wget|curl|scp|ssh|nc\s|/usr/bin/nc\s|/bin/nc\s|https?://[^\s]*
    type: regex
    
  - name: LinuxEnvScripting
    default: python|perl|ruby|php|base64
    type: regex
    
precondition: SELECT OS From info() where OS = 'linux'

sources:
    - name: ModifierDetection
      query: |
        LET EnvFiles = SELECT OSPath FROM glob(globs=LinuxEnvGlobs.Glob)
        SELECT * FROM foreach(row=EnvFiles,
            query={
                SELECT Line, OSPath FROM parse_lines(filename=OSPath)
                WHERE
                    Line =~ LinuxEnvModifiers
            })

    - name: NetworkUtilsDetection
      query: |
        LET EnvFiles = SELECT OSPath FROM glob(globs=LinuxEnvGlobs.Glob)
        SELECT * FROM foreach(row=EnvFiles,
            query={
                SELECT Line, OSPath FROM parse_lines(filename=OSPath)
                WHERE
                    Line =~ LinuxEnvNetworkUtils
            })
    
    - name: ScriptingDetection
      query: |
        LET EnvFiles = SELECT OSPath FROM glob(globs=LinuxEnvGlobs.Glob)
        SELECT * FROM foreach(row=EnvFiles,
            query={
                SELECT Line, OSPath FROM parse_lines(filename=OSPath)
                WHERE
                    Line =~ LinuxEnvScripting
            })
            
    - name: LoginScriptsDetection
      query: |
        SELECT OSPath,upload(file=OSPath) AS Upload FROM glob(globs=LoginScriptGlobs.Glob)

        
column_types:
- name: Upload
  type: preview_upload