Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1546.004: Unix Shell Configuration Modification

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.[1][2] These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.[3][4] Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.[5][3][6][7] Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session.

For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.[8][9][10][11] The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.

EnterpriseT1546.004Sub-techniqueObject v2.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Unix shell startup and logout files are small but business-relevant persistence points on Linux and macOS. If an attacker can modify files such as /etc/profile, profile.d content, bash/zsh user profiles, rc files, or logout scripts, malicious commands can run whenever a user opens a shell, logs in remotely, starts an interactive session, or exits. For leaders, the key issue is not the shell file itself; it is whether administrative workstations, servers, developer systems, and macOS endpoints have enough file-integrity visibility and permission control to prove these trusted startup paths have not been abused.

Executive priority

Prioritize this technique where Linux or macOS systems support critical operations, remote administration, development, cryptocurrency or AI workloads, or regulated evidence collection. ATT&CK maps this behavior to persistence and privilege escalation, and relates it to observed campaign, group, and malware contexts including ShadowRay, Contagious Interview, Linux Rabbit, XCSSET, Green Lambert, RotaJakiro, and PHASEJAM. The executive question is: can the organization rapidly identify unauthorized changes to shell configuration files and explain who changed them, when, and under what privilege level? This supports incident scoping, least-privilege governance, audit readiness, and recovery confidence.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring for Linux and macOS shell configuration paths described by ATT&CK: /etc/profile, /etc/profile.d, /etc/bashrc, /etc/zshenv, /etc/zprofile, /etc/zlogin, /etc/zlogout, ~/.bash_profile, ~/.bash_login, ~/.profile, ~/.bashrc, ~/.bash_logout, ~/.zprofile, ~/.zlogin, ~/.zshrc, and ~/.zlogout. Focus on unauthorized content changes, suspicious new commands that launch binaries or scripts, changes made by unexpected users or processes, and modifications followed by shell, SSH, Terminal.app, or interactive session activity. Treat this as an event-triggered execution problem under T1546: the file write is only part of the story; the defensive value comes from connecting the modification to later shell-triggered execution.

Likely telemetry

  • File creation, modification, ownership, and permission changes for system-level and user-level shell configuration files
  • Endpoint file integrity monitoring on Linux and macOS, including Apple Endpoint Security Framework-style file monitoring where available
  • Process execution telemetry showing editors, scripts, package tools, shells, SSH sessions, Terminal.app, or other processes modifying shell startup/logout files
  • Authentication and session telemetry for local shell launches, remote logins such as SSH, and interactive shell creation
  • Command-line and parent/child process context around shells that execute newly added commands or launch unexpected binaries

Detection direction

  • Implement or validate coverage aligned to ATT&CK detection strategy DET0020 for shell configuration modification used for persistence via event-triggered execution.
  • Tune alerts around sensitive shell configuration paths, with higher priority for system-wide files under /etc because they typically affect all users and generally require elevated permissions to modify.
  • Monitor user home directory shell profiles as well; user-level persistence may not require root and can be missed if detection only watches /etc paths.
  • Correlate file modification events with subsequent shell/session starts, because execution may occur later when a login shell, interactive shell, remote connection, Terminal.app session, or logout event triggers the file.
  • Reduce false positives by baselining legitimate administrative edits, software installation activity, shell customization, and managed configuration changes, but preserve enough detail for investigation.

Mitigation priorities

  • Apply M1022 Restrict File and Directory Permissions: remove unnecessary write permissions on sensitive shell configuration files and directories.
  • Enforce least privilege for users, groups, and processes that can modify system-wide shell startup files.
  • Use managed configuration and change-control evidence for approved edits so SOC teams can distinguish authorized administration from suspicious persistence.
  • Protect both global configuration locations and user home directory shell files; system-only hardening leaves a user-level persistence gap.
  • Regularly validate file ownership and permissions for shell configuration files as part of Linux and macOS endpoint/server hardening.
Analyst notes and limits

This ATT&CK object is a sub-technique of T1546 Event Triggered Execution and is scoped to Linux and macOS. ATT&CK does not provide an official detection text for this object, but it does provide a related detection strategy, DET0020, and mitigation M1022. Relationship context shows use by multiple ATT&CK-tracked software entries and one campaign/group context, which increases defensive relevance but should not be interpreted as proof of current activity in any specific environment.

This take is based only on the supplied ATT&CK STIX fields, external references, and relationships. It does not establish active exploitation, customer exposure, or guaranteed detection coverage. Local shell usage, endpoint tooling, administrative workflows, and logging depth determine which telemetry and controls are actually available.

Official MITRE ATT&CK definition

Unix Shell Configuration Modification

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shells execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/profile.d files.[1][2] These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or ~/.profile which are sourced when a user opens a command-line interface or connects remotely.[3][4] Since the system only executes the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution. Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.[5][3][6][7] Some malware targets the termination of a program to trigger execution, adversaries can use the ~/.bash_logout file to execute malicious commands at the end of a session.

For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/zlogin.[8][9][10][11] The login shell then configures the user environment with ~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment. Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/bashrc on startup.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1546 Event Triggered Execution This object subtechnique of Event Triggered Execution.
Enterprise T1156 Malicious Shell Modification Malicious Shell Modification revoked by this object.
Associated objects

Groups, software, and campaigns

Malware Enterprise

S1078: RotaJakiro

RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architecture to extend capabilities. RotaJakiro can determine it's permission level and execute according to access type (`root` or `user`).[1][2]

Linux
Malware Enterprise

S0362: Linux Rabbit

Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.[1]

Linux
Malware Enterprise

S0690: Green Lambert

Green Lambert is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in 2017, the Windows variant of Green Lambert may have been used as early as 2008; a macOS version was uploaded to a multiscanner service in September 2014.[1][2]

WindowsiOSmacOS
Malware Enterprise

S9014: PHASEJAM

PHASEJAM is a dropper written as a bash shell script that modifies Ivanti Connect Secure appliance components. PHASEJAM was first reported in January 2025. PHASEJAM has previously been leveraged by People's Republic of China (PRC)- affiliated actors identified as UNC5221 and SYLVANITE.[1][2]

LinuxNetwork Devices
Malware Enterprise

S0658: XCSSET

XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when the project is compiled. Active since August 2020, it has been observed installing backdoors, spoofed browsers, collecting data, and encrypting user files. It is composed of SHC-compiled shell scripts and run-only AppleScripts, often hiding in apps that mimic system tools (such as Xcode, Mail, or Notes) or use familiar icons (like Launchpad) to avoid detection.[1][2][3]

macOS
Campaign Enterprise

C0045: ShadowRay

ShadowRay was a campaign that began in late 2023 targeting the education, cryptocurrency, biopharma, and other sectors through a vulnerability (CVE-2023-48022) in the Ray AI framework named ShadowRay. According to security researchers ShadowRay was the first known instance of AI workloads being activley exploited in the wild through vulnerabilities in AI infrastructure. CVE-2023-48022, which allows access to compute resources and sensitive data for exposed instances, remains unpatched and has been disputed by the vendor as they maintain that Ray is not intended for use outside of a strictly controlled network environment.[1]

Relationship explorer

All related ATT&CK context

uses · Malware S1078: RotaJakiro Enterprise uses · Malware S0362: Linux Rabbit Enterprise uses · Group G1052: Contagious Interview Enterprise uses · Campaign C0045: ShadowRay Enterprise detects · Detection Strategy DET0020: Detect Shell Configuration Modification for Persistence via Event-Triggered Execution Enterprise subtechnique of · Technique T1546: Event Triggered Execution Enterprise revoked by · Technique T1156: Malicious Shell Modification Enterprise uses · Malware S0690: Green Lambert Enterprise mitigates · Mitigation M1022: Restrict File and Directory Permissions Enterprise uses · Malware S9014: PHASEJAM Enterprise uses · Malware S0658: XCSSET Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1022: Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.

On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`

File Integrity Monitoring (FIM):

- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.

Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.

- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.2
Created
Modified
Raw hash
1084ba9fecfe23bf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.2 Current bundle 1084ba9fecfe…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    intezer-kaiji-malware

    Paul Litvak. (2020, May 4). Kaiji: New Chinese Linux malware turning to Golang. Retrieved December 17, 2020.

    Open source URL
  2. [2]
    bencane blog bashrc

    Benjamin Cane. (2013, September 16). Understanding a little more about /etc/profile and /etc/bashrc. Retrieved September 25, 2024.

    Open source URL
  3. [3]
    anomali-rocke-tactics

    Anomali Threat Research. (2019, October 15). Illicit Cryptomining Threat Actor Rocke Changes Tactics, Now More Difficult to Detect. Retrieved December 17, 2020.

    Open source URL
  4. [4]
    Linux manual bash invocation

    ArchWiki. (2021, January 19). Bash. Retrieved February 25, 2021.

    Open source URL
  5. [5]
    Tsunami

    Claud Xiao and Cong Zheng. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved December 17, 2020.

    Open source URL
  6. [6]
    anomali-linux-rabbit

    Anomali Threat Research. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved December 17, 2020.

    Open source URL
  7. [7]
    Magento

    Cesar Anjos. (2018, May 31). Shell Logins as a Magento Reinfection Vector. Retrieved December 17, 2020.

    Open source URL
  8. [8]
    ScriptingOSX zsh

    Armin Briegel. (2019, June 5). Moving to zsh, part 2: Configuration Files. Retrieved February 25, 2021.

    Open source URL
  9. [9]
    PersistentJXA_leopitt

    Leo Pitt. (2020, August 6). Persistent JXA - A poor man's Powershell for macOS. Retrieved January 11, 2021.

    Open source URL
  10. [10]
    code_persistence_zsh

    Leo Pitt. (2020, November 11). Github - PersistentJXA/BashProfilePersist.js. Retrieved January 11, 2021.

    Open source URL
  11. [11]
    macOS MS office sandbox escape

    Cedric Owens. (2021, May 22). macOS MS Office Sandbox Brain Dump. Retrieved August 20, 2021.

    Open source URL
  12. [12]
    ESF_filemonitor

    Patrick Wardle. (2019, September 17). Writing a File Monitor with Apple's Endpoint Security Framework. Retrieved December 17, 2020.

    Open source URL
  13. [13]
    mitre-attack T1546.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use