Detect Unix Shell Configuration Modification in CrowdStrike LogScale
Adversaries may establish persistence through executing malicious commands triggered by a user's shell. User Unix shells execute several configuration scripts whenever a shell session is opened. Malicious content can be inserted into these shell configuration files — such as ~/.bashrc, ~/.bash_profile, ~/.bash_login, ~/.profile, /etc/profile, /etc/bashrc, ~/.zshrc, and ~/.zprofile — to execute adversary payloads when a user opens a terminal or logs in. The payload will execute in the user's context each time the shell is started.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.004 Unix Shell Configuration Modification
- Canonical reference
- https://attack.mitre.org/techniques/T1546/004/
LogScale Detection Query
(#event_simpleName = "ProcessRollup2" OR #event_simpleName = "SyntheticProcessRollup2")
| CommandLine = /(>|>>|\btee\b|\bsed\b|\bawk\b|\becho\b|\bprintf\b|\bcat\b|\bcp\b|\bmv\b)/
| CommandLine = /(\.bashrc|\.bash_profile|\.bash_login|\.profile(?![_\w])|\.zshrc|\.zprofile|\.zshenv|\.zlogin|\.tcshrc|\.cshrc|\/etc\/profile|\/etc\/bashrc|profile\.d\/|bash_completion\.d\/|\.config\/fish\/config\.fish)/
| IsSystemConfig := if(CommandLine = /\/etc\//, "true", "false")
| IsRootConfig := if(CommandLine = /\/root\//, "true", "false")
| groupBy(
[ComputerName, UserName, FileName, CommandLine, IsSystemConfig, IsRootConfig],
function=[
count(as=EventCount),
min(@timestamp, as=FirstSeen),
max(@timestamp, as=LastSeen)
]
)
| sort(EventCount, order=desc)Detects process executions that write to Unix shell configuration files using CrowdStrike Falcon process telemetry. Matches command lines combining file write operators or tools (>, >>, tee, sed, awk, echo, printf) with shell dotfile or /etc/ config path patterns across bash, zsh, tcsh, csh, and fish. Groups results to surface repeated modification activity.
Data Sources
Required Tables
False Positives & Tuning
- Package post-install scripts using echo or printf with >> redirection to append PATH entries to /etc/profile.d/ scripts when installing developer SDKs, version managers (nvm, pyenv, rbenv), or CLI tools
- Automated fleet provisioning tools (Ansible shell tasks, SaltStack cmd.run, Puppet exec resources) running commands that append exports or aliases to shell config files across managed Linux nodes
- User-executed install scripts for shell frameworks (oh-my-zsh, Prezto) or terminal productivity tools (fzf, zoxide, atuin) that use echo or tee to append initialization lines to .bashrc or .zshrc
Other platforms for T1546.004
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Add Reverse Shell to .bashrc
Expected signal: File modification event for ~/.bashrc. Process creation for bash with echo command. Auditd SYSCALL records with type=PATH for the .bashrc file write. The reverse shell command in the file content is the key indicator.
- Test 2Add Download Cradle to /etc/profile.d/
Expected signal: File creation event for /etc/profile.d/argus-test.sh. Process creation for tee writing to /etc/profile.d/. Auditd records for the file creation in a privileged directory. The curl | bash pattern in the script content.
- Test 3Modify .bash_profile to Add Malicious PATH
Expected signal: File modification event for ~/.bash_profile. File creation events for ~/.local/bin/ls. The PATH modification in bash_profile is the persistence mechanism — every new shell session adds the attacker directory to PATH first.
Unlock Pro Content
Get the full detection package for T1546.004 including response playbook, investigation guide, and atomic red team tests.