Overview
To test a Blumira detection after installing Blumira Agent on a Mac or Linux device, complete the steps below and then look for a related finding in the app.
Bash/Zsh history manipulation in Mac or Linux
To test the "Bash/Zsh History Manipulation" detection, do the following:
- Copy this script to
/tmp/
on the device. - Run the script in a command prompt.
- In Blumira, navigate to Findings to search for a new finding named "Bash/Zsh History Manipulation."
This script will do the following, which are all attacker tactics used to tamper with shell history:
- Create a symbolic link to /dev/null named .zsh_history.
- Write "bash content" to a file named .zsh_history.
- Remove the .zsh_history file.
- Write "+o history" to a file named .bashrc.
- Replace all occurrences of +o history with +o history_disabled in .bashrc demonstrating log tampering.
- Truncate the zsh_history file to zero length.
Linux: UnSafe File Permissions - Chmod 777
Setting these permissions on a file can result in unsafe content modification or leaking of sensitive data and is not a recommended practice.
To test the "Linux: UnSafe File Permissions - Chmod 777" detection, do the following:
- Open Terminal and then run
chmod 777
and define a file or folder. - Press Enter.
Linux: Logging Service Shut Down
While this may indicate a normal actuation of the logging service it may also indicate an attacker is attempting to halt evidence retrieval similar to Windows Log alerting.
To test the "Linux: Logging Service Shut Down" detection, do the following:
-
On the Linux machine, open Terminal and then run
sudo systemctl stop rsyslog
andsudo systemctl stop systemd-journald
. -
Press Enter.
macOS: Mac User Added to Local Administrator Group via command line
Such a method of user elevation is uncommon and potentially risky. Achieving administrative status allows the user complete control over an endpoint, including overriding existing policies or permissions. Given the vast capabilities that come with this status, administrator accounts should be limited to a select group of approved individuals. They demand heightened monitoring and protection compared to standard user accounts. It is imperative to remember that these privileged accounts are often primary targets for adversaries and malicious activities.
To test the "macOS: Mac User Added to Local Administrator Group via command line" detection, do the following:
- On a Mac device, open Terminal.
- Run the following command and ensure that you replace "Username" with the username of the user you want to add to the admin group.
Sudo dseditgroup -o edit -a Username -t user admin
- Authenticate by entering your administrator password.
- Press Enter.