DET0020 Detect Shell Configuration Modification for Persistence via Event-Triggered Execution

Item	Value
ID	DET0020
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.004 (Unix Shell Configuration Modification)

Analytics

Linux

AN0059

Detects modification of shell startup/logout scripts such as ~/.bashrc, ~/.bash_profile, or /etc/profile, followed by anomalous process execution or network connections upon interactive or remote shell login.

Log Sources

Data Component	Name	Channel
File Modification (DC0061)	auditd:SYSCALL	AUDIT_SYSCALL (open, write, rename, unlink)
Process Creation (DC0032)	auditd:EXECVE	execution of unexpected binaries during user shell startup
Network Traffic Content (DC0085)	NSM:Flow	unexpected network activity initiated shortly after shell session starts

Mutable Elements

Field	Description
TimeWindow	Defines how soon after shell startup process execution or network activity is considered suspicious.
TargetUser	Limits detection to specific user accounts or roles such as root or service accounts.
FilePathRegex	Defines what shell configuration paths are considered relevant (e.g., .bashrc, .bash_logout, etc.)

macOS

AN0060

Correlates zsh shell configuration file changes (e.g., ~/.zshrc, ~/.zlogin, /etc/zprofile) with execution of unauthorized binaries or unexpected network activity triggered on Terminal.app launch.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	macos:unifiedlog	launch of Terminal.app or shell with non-standard environment setup
File Modification (DC0061)	macos:endpointsecurity	ES_EVENT_TYPE_NOTIFY_WRITE, targeting .zshrc, .zlogin, .zprofile

Mutable Elements

Field	Description
FileTargetList	Customizable list of shell config files considered sensitive for detection.
PayloadEntropyThreshold	Used to distinguish benign from potentially obfuscated commands written to config files.
UserContext	Scoping based on user login class, e.g., administrative vs standard users.