title: Unix Shell Configuration Modification (T1546.004)
id: df00tech-t1546-004
status: experimental
description: "Adversaries may establish persistence through executing malicious commands triggered by a user's shell. User Unix shells execute several configuration scripts whenever a shell session is opened. Malicious content can be inserted into these shell configuration files — such as ~/.bashrc, ~/.bash_profile, ~/.bash_login, ~/.profile, /etc/profile, /etc/bashrc, ~/.zshrc, and ~/.zprofile — to execute adversary payloads when a user opens a terminal or logs in. The payload will execute in the user's context each time the shell is started."
references:
  - https://attack.mitre.org/techniques/T1546/004/
  - https://df00tech.com/detections/T1546.004
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Package managers (apt, yum, dnf, brew) that modify /etc/profile.d/ or /etc/bashrc when installing packages that add environment variables or aliases"
  - "Configuration management tools (Ansible, Chef, Puppet, Salt) that manage shell configuration files as part of system baseline enforcement"
  - "Users legitimately modifying their own .bashrc or .zshrc to add aliases, set PATH, or configure their prompt"
  - "Developer toolchains (rbenv, pyenv, nvm, sdkman) that append initialization code to shell config files during installation"
level: medium