AN0312: Analytic 0312
Detection of changes or execution of shell initialization scripts like .bashrc, .profile, or /etc/profile for persistence.
Analyst context for executives and security teams
This analytic matters because Linux shell startup files such as .bashrc, .profile, and /etc/profile can be used to make commands run automatically when users or shells start. For leaders, the practical risk is persistence: an unauthorized change in these files can allow unwanted code to survive logouts, reboots, or account reuse, complicating incident containment and recovery.
Executive priority
Prioritize this as a Linux endpoint and server hardening and monitoring question: do critical Linux systems have reliable visibility into changes and execution involving shell initialization scripts, especially for privileged accounts and shared administrative systems? The business value is stronger incident response readiness, better evidence for audit/control assurance, and faster validation that persistence has been removed during recovery.
Technical view
For SOC, detection engineering, and IR teams, validate whether Linux telemetry can show file creation, modification, permission changes, ownership changes, and execution behavior involving .bashrc, .profile, /etc/profile, and similar shell initialization paths. Because ATT&CK provides no official detection logic for this analytic and no relationship context, local baselining is essential: distinguish normal user customization, package or configuration-management activity, and administrator maintenance from suspicious new commands, unexpected interpreters, network utilities, or changes under privileged accounts.
Likely telemetry
- Linux file integrity monitoring for shell initialization files
- Endpoint process execution telemetry showing shells and commands launched from login or interactive shell startup
- Audit logs for file writes, chmod/chown activity, and privileged modifications
- User, sudo, and authentication logs to correlate who changed or triggered startup files
- Configuration management or system administration logs to separate expected changes from unauthorized ones
Detection direction
- Inventory monitored shell initialization locations on Linux systems, including user-level files and system-wide profile files named in the ATT&CK description.
- Alert on unexpected creation or modification of .bashrc, .profile, or /etc/profile, with higher priority for root, service accounts, administrative users, and production servers.
- Correlate file changes with subsequent shell execution and the modifying user or process to reduce noise.
- Tune out known-good configuration management and approved administrative changes while preserving evidence of what changed and when.
- Review blind spots around home directories not covered by file monitoring, short log retention, ephemeral Linux hosts, and systems without process telemetry.
Mitigation priorities
- Establish approved baselines for Linux shell initialization files on critical systems.
- Restrict write access to system-wide profile files and enforce least privilege for administrative accounts.
- Use file integrity monitoring or equivalent change-control evidence for sensitive Linux startup locations.
- Include shell initialization files in incident response persistence checks and recovery validation.
- Maintain sufficient audit and endpoint log retention to support investigation of who changed the file and what executed afterward.
Analyst notes and limits
This Glexia take is based on the supplied ATT&CK analytic AN0312 for Linux detection of changes or execution of shell initialization scripts such as .bashrc, .profile, and /etc/profile for persistence. No ATT&CK relationships, tactics field, aliases, labels, or official detection logic were supplied, so recommendations focus on defensive validation rather than a specific rule.
The object is sparse: it identifies the platform and behavior but does not provide detection pseudocode, data sources, related techniques, mitigations, or threat actor context. Local system roles, administrative practices, shell usage, and logging coverage are required to determine severity, tuning, and operational priority.
Analytic 0312
Detection of changes or execution of shell initialization scripts like .bashrc, .profile, or /etc/profile for persistence.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5344e1c92ef2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0312Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.