AN0059: Analytic 0059
Detects modification of shell startup/logout scripts such as ~/.bashrc, ~/.bash_profile, or /etc/profile, followed by anomalous process execution or network connections upon interactive or remote shell login.
Analyst context for executives and security teams
This analytic matters because Linux shell startup and logout files can turn a normal user login into an automatic execution point. For security leaders, the practical question is whether the organization can prove when files such as ~/.bashrc, ~/.bash_profile, or /etc/profile change, and whether SOC teams can connect those changes to unusual processes or network activity during interactive or remote shell logins.
Executive priority
Prioritize this where Linux systems support critical services, administration workflows, remote access, or regulated environments. The business value is resilience and evidence: teams need file-change visibility, login context, and process/network telemetry to determine whether a suspicious login sequence is benign administration or a persistence-like risk requiring incident response. Because ATT&CK provides no tactic mapping or relationship context for this object, use it as a coverage validation item rather than as proof of a specific adversary objective.
Technical view
Validate Linux monitoring for modifications to shell startup/logout scripts including user-level files such as ~/.bashrc and ~/.bash_profile and system-level files such as /etc/profile. Detection engineering should correlate those file modifications with subsequent interactive or remote shell logins, then inspect anomalous child process execution or outbound network connections occurring at login time. Since the official detection field is not provided, local teams must define baselines for expected administrative edits, normal login-time commands, and acceptable network behavior.
Likely telemetry
- Linux file modification events for shell startup/logout scripts
- User and remote login/session records
- Process creation telemetry tied to shell sessions
- Parent-child process context for login shells
- Network connection telemetry from processes launched during or immediately after login
Detection direction
- Confirm collection exists for both user-level and system-level startup script paths named in the ATT&CK description.
- Correlate script modification time, modifying user/process, subsequent login event, and post-login process or network activity.
- Tune for legitimate administrator changes, software setup scripts, and user customization to reduce false positives.
- Pay attention to blind spots on unmanaged Linux hosts, ephemeral systems, local-only file edits, and systems without process or network telemetry.
- Because no official detection logic is supplied, test coverage with approved internal validation methods and document the assumptions used for anomaly thresholds.
Mitigation priorities
- Restrict and review write access to system-wide shell profile files on Linux systems.
- Apply change monitoring or integrity controls to high-value startup/logout script paths.
- Require administrative accountability for profile script changes through logging and change management where appropriate.
- Ensure incident responders have playbooks to collect modified shell scripts, login history, process lineage, and network evidence from affected Linux hosts.
- Use the analytic as a compliance-readiness check for whether Linux configuration changes and privileged administrative activity are auditable.
Analyst notes and limits
The object is a detection analytic for Linux and describes a correlation between shell startup/logout script modification and anomalous process or network activity at login. No tactics, aliases, labels, official detection logic, or relationships were supplied, so conclusions should remain behavior-focused and environment-specific.
This take is limited to the supplied ATT&CK STIX fields, external reference, and the absence of relationship context. It does not establish active exploitation, attribution, impact, or guaranteed detection coverage. Local baselines and telemetry quality are required to determine severity.
Analytic 0059
Detects modification of shell startup/logout scripts such as ~/.bashrc, ~/.bash_profile, or /etc/profile, followed by anomalous process execution or network connections upon interactive or remote shell login.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c497a5181ab0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0059Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.