Wayne
@kprobes.bsky.social
Threat Intelligence - Detection Engineering
same applies for .zshprofile, .zlogin, .zshrc ... attack.mitre.org/techniques/T...
Event Triggered Execution: Unix Shell Configuration Modification, Sub-technique T1546.004 - Enterprise | MITRE ATT&CK®
attack.mitre.org
November 12, 2024 at 2:29 PM
same applies for .zshprofile, .zlogin, .zshrc ... attack.mitre.org/techniques/T...
However, it's creation by an application or script in a suspicious location such as a tmp folder or the "\Users\Shared\" dir as seems to be the case with this BlueNoroff behaviour might be worthwhile flagging.
November 12, 2024 at 2:21 PM
However, it's creation by an application or script in a suspicious location such as a tmp folder or the "\Users\Shared\" dir as seems to be the case with this BlueNoroff behaviour might be worthwhile flagging.
.zshenv does not exist on macOS out the box but it's commonly used, especially by dev tools so detection via file creation alone will not be feasible in most environments. No evidence in process creation telemetry to indicate execution originated from zshenv either...
November 12, 2024 at 2:21 PM
.zshenv does not exist on macOS out the box but it's commonly used, especially by dev tools so detection via file creation alone will not be feasible in most environments. No evidence in process creation telemetry to indicate execution originated from zshenv either...