MITRE ATT&CK Technique
Description
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately. Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the <code>/etc/profile</code> and <code>/etc/profile.d</code> files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into <code>~/.bash_profile</code>, <code>~/.bash_login</code>, or <code>~/.profile</code> which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used <code>~/.bash_profile</code> to ensure execution. Adversaries have also leveraged the <code>~/.bashrc</code> file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the <code>~/.bash_logout</code> file to execute malicious commands at the end of a session. For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using <code>/etc/profile</code>, <code>/etc/zshenv</code>, <code>/etc/zprofile</code>, and <code>/etc/zlogin</code>.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with <code>~/.zprofile</code> and <code>~/.zlogin</code>. The interactive shell uses the <code>~/.zshrc</code> to configure the user environment. Upon exiting, <code>/etc/zlogout</code> and <code>~/.zlogout</code> are executed. For legacy programs, macOS executes <code>/etc/bashrc</code> on startup.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-01-24T14:13:45.936Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may establish persistence through executing '
'malicious commands triggered by a user’s shell. User [Unix '
'Shell](https://attack.mitre.org/techniques/T1059/004)s '
'execute several configuration scripts at different points '
'throughout the session based on events. For example, when a '
'user opens a command-line interface or remotely logs in (such '
'as via SSH) a login shell is initiated. The login shell '
'executes scripts from the system (<code>/etc</code>) and the '
'user’s home directory (<code>~/</code>) to configure the '
'environment. All login shells on a system use /etc/profile '
'when initiated. These configuration scripts run at the '
'permission level of their directory and are often used to set '
'environment variables, create aliases, and customize the '
'user’s environment. When the shell exits or terminates, '
'additional shell scripts are executed to ensure the shell '
'exits appropriately. \n'
'\n'
'Adversaries may attempt to establish persistence by inserting '
'commands into scripts automatically executed by shells. Using '
'bash as an example, the default shell for most GNU/Linux '
'systems, adversaries may add commands that launch malicious '
'binaries into the <code>/etc/profile</code> and '
'<code>/etc/profile.d</code> files.(Citation: '
'intezer-kaiji-malware)(Citation: bencane blog bashrc) These '
'files typically require root permissions to modify and are '
'executed each time any shell on a system launches. For user '
'level permissions, adversaries can insert malicious commands '
'into <code>~/.bash_profile</code>, '
'<code>~/.bash_login</code>, or <code>~/.profile</code> which '
'are sourced when a user opens a command-line interface or '
'connects remotely.(Citation: anomali-rocke-tactics)(Citation: '
'Linux manual bash invocation) Since the system only executes '
'the first existing file in the listed order, adversaries have '
'used <code>~/.bash_profile</code> to ensure execution. '
'Adversaries have also leveraged the <code>~/.bashrc</code> '
'file which is additionally executed if the connection is '
'established remotely or an additional interactive shell is '
'opened, such as a new tab in the command-line '
'interface.(Citation: Tsunami)(Citation: '
'anomali-rocke-tactics)(Citation: '
'anomali-linux-rabbit)(Citation: Magento) Some malware targets '
'the termination of a program to trigger execution, '
'adversaries can use the <code>~/.bash_logout</code> file to '
'execute malicious commands at the end of a session. \n'
'\n'
'For macOS, the functionality of this technique is similar but '
'may leverage zsh, the default shell for macOS 10.15+. When '
'the Terminal.app is opened, the application launches a zsh '
'login shell and a zsh interactive shell. The login shell '
'configures the system environment using '
'<code>/etc/profile</code>, <code>/etc/zshenv</code>, '
'<code>/etc/zprofile</code>, and '
'<code>/etc/zlogin</code>.(Citation: ScriptingOSX '
'zsh)(Citation: PersistentJXA_leopitt)(Citation: '
'code_persistence_zsh)(Citation: macOS MS office sandbox '
'escape) The login shell then configures the user environment '
'with <code>~/.zprofile</code> and <code>~/.zlogin</code>. The '
'interactive shell uses the <code>~/.zshrc</code> to configure '
'the user environment. Upon exiting, <code>/etc/zlogout</code> '
'and <code>~/.zlogout</code> are executed. For legacy '
'programs, macOS executes <code>/etc/bashrc</code> on startup.',
'external_references': [{'external_id': 'T1546.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1546/004'},
{'description': 'Anomali Threat Research. (2018, '
'December 6). Pulling Linux '
'Rabbit/Rabbot Malware Out of a Hat. '
'Retrieved December 17, 2020.',
'source_name': 'anomali-linux-rabbit',
'url': 'https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat'},
{'description': 'Anomali Threat Research. (2019, '
'October 15). Illicit Cryptomining '
'Threat Actor Rocke Changes Tactics, '
'Now More Difficult to Detect. '
'Retrieved December 17, 2020.',
'source_name': 'anomali-rocke-tactics',
'url': 'https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect'},
{'description': 'ArchWiki. (2021, January 19). Bash. '
'Retrieved February 25, 2021.',
'source_name': 'Linux manual bash invocation',
'url': 'https://wiki.archlinux.org/index.php/Bash#Invocation'},
{'description': 'Armin Briegel. (2019, June 5). '
'Moving to zsh, part 2: Configuration '
'Files. Retrieved February 25, 2021.',
'source_name': 'ScriptingOSX zsh',
'url': 'https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/'},
{'description': 'Benjamin Cane. (2013, September 16). '
'Understanding a little more about '
'/etc/profile and /etc/bashrc. '
'Retrieved September 25, 2024.',
'source_name': 'bencane blog bashrc',
'url': 'https://web.archive.org/web/20220316014323/http://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/'},
{'description': 'Cedric Owens. (2021, May 22). macOS '
'MS Office Sandbox Brain Dump. '
'Retrieved August 20, 2021.',
'source_name': 'macOS MS office sandbox escape',
'url': 'https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a'},
{'description': 'Cesar Anjos. (2018, May 31). Shell '
'Logins as a Magento Reinfection '
'Vector. Retrieved December 17, 2020.',
'source_name': 'Magento',
'url': 'https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html'},
{'description': 'Claud Xiao and Cong Zheng. (2017, '
'April 6). New IoT/Linux Malware '
'Targets DVRs, Forms Botnet. '
'Retrieved December 17, 2020.',
'source_name': 'Tsunami',
'url': 'https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/'},
{'description': 'Leo Pitt. (2020, August 6). '
"Persistent JXA - A poor man's "
'Powershell for macOS. Retrieved '
'January 11, 2021.',
'source_name': 'PersistentJXA_leopitt',
'url': 'https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5'},
{'description': 'Leo Pitt. (2020, November 11). '
'Github - '
'PersistentJXA/BashProfilePersist.js. '
'Retrieved January 11, 2021.',
'source_name': 'code_persistence_zsh',
'url': 'https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js'},
{'description': 'Patrick Wardle. (2019, September '
'17). Writing a File Monitor with '
"Apple's Endpoint Security Framework. "
'Retrieved December 17, 2020.',
'source_name': 'ESF_filemonitor',
'url': 'https://objective-see.com/blog/blog_0x48.html'},
{'description': 'Paul Litvak. (2020, May 4). Kaiji: '
'New Chinese Linux malware turning to '
'Golang. Retrieved December 17, 2020.',
'source_name': 'intezer-kaiji-malware',
'url': 'https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/'}],
'id': 'attack-pattern--b63a34e8-0a61-4c97-a23b-bf8a2ed812e2',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'privilege-escalation'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:15.960Z',
'name': 'Unix Shell Configuration Modification',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Robert Wilson', 'Tony Lambert, Red Canary'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS'],
'x_mitre_version': '2.2'}