Detect Unix Shell Configuration Modification in Elastic Security
Adversaries may establish persistence through executing malicious commands triggered by a user's shell. User Unix shells execute several configuration scripts whenever a shell session is opened. Malicious content can be inserted into these shell configuration files — such as ~/.bashrc, ~/.bash_profile, ~/.bash_login, ~/.profile, /etc/profile, /etc/bashrc, ~/.zshrc, and ~/.zprofile — to execute adversary payloads when a user opens a terminal or logs in. The payload will execute in the user's context each time the shell is started.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.004 Unix Shell Configuration Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1546/004/
Elastic Detection Query
file where event.type in ("creation", "change") and
(
file.name in (".bashrc", ".bash_profile", ".bash_login", ".profile", ".zshrc", ".zprofile", ".zshenv", ".zlogin", ".tcshrc", ".cshrc", "bashrc", "bash.bashrc") or
file.path : ("/etc/profile", "/etc/bashrc", "/etc/bash.bashrc") or
file.path : ("/etc/profile.d/*", "/etc/bash_completion.d/*") or
file.path : ("/root/.bashrc", "/root/.bash_profile", "/root/.bash_login", "/root/.profile", "/root/.zshrc", "/root/.zprofile", "/root/.zshenv") or
file.path : ("/home/*/.bashrc", "/home/*/.bash_profile", "/home/*/.bash_login", "/home/*/.profile", "/home/*/.zshrc", "/home/*/.zprofile", "/home/*/.zshenv", "/home/*/.config/fish/config.fish")
)Detects creation or modification of Unix shell configuration files used for persistence via T1546.004. Monitors .bashrc, .bash_profile, .profile, .zshrc, and related startup files in user home directories and system-wide /etc/ paths using ECS file events.
Data Sources
Required Tables
False Positives & Tuning
- Package managers (apt, yum, dnf, homebrew) writing environment setup scripts to /etc/profile.d/ when installing developer tools such as Java, Python, or Ruby version managers
- Configuration management tooling such as Ansible, Chef, or Puppet applying expected dotfile changes across managed Linux hosts as part of provisioning or hardening playbooks
- Shell framework installers (oh-my-zsh, Prezto, Starship prompt) or dotfile managers (chezmoi, GNU stow, yadm) that write or symlink initialization code into .bashrc or .zshrc during setup or update
Other platforms for T1546.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Reverse Shell to .bashrc
Expected signal: File modification event for ~/.bashrc. Process creation for bash with echo command. Auditd SYSCALL records with type=PATH for the .bashrc file write. The reverse shell command in the file content is the key indicator.
- Test 2Add Download Cradle to /etc/profile.d/
Expected signal: File creation event for /etc/profile.d/argus-test.sh. Process creation for tee writing to /etc/profile.d/. Auditd records for the file creation in a privileged directory. The curl | bash pattern in the script content.
- Test 3Modify .bash_profile to Add Malicious PATH
Expected signal: File modification event for ~/.bash_profile. File creation events for ~/.local/bin/ls. The PATH modification in bash_profile is the persistence mechanism — every new shell session adds the attacker directory to PATH first.
Unlock Pro Content
Get the full detection package for T1546.004 including response playbook, investigation guide, and atomic red team tests.